CVE-2003-0097

Name of the Vulnerable Software and Affected Versions PHP versions 4.0 through 4.3.1 PHP version 4.3.0

Description The issue allows attackers to access arbitrary files as the PHP user and possibly execute PHP code by bypassing the CGI force redirect settings. Additionally, there is an integer overflow in the socket iovec alloc(), socket recvfrom(), and socket recv() functions. If PHP is compiled with the -enable-sockets option, a remote attacker could send a specially-crafted request to cause a segmentation fault in the child process when one of these functions is called.

Recommendations For PHP versions 4.0 through 4.3.1, consider disabling the CGI module or restricting access to it until a patch is available. For PHP version 4.3.0, restrict access to the vulnerable CGI module to minimize the risk of exploitation. As a temporary workaround, consider disabling the socket iovec alloc(), socket recvfrom(), and socket recv() functions until a patch is available.