CVE-2006-4020

Name of the Vulnerable Software and Affected Versions PHP versions 4.4.3 and earlier PHP versions 5.1.4 and earlier

Description The issue allows context-dependent attackers to execute arbitrary code via a sscanf PHP function call that performs argument swapping. This can trigger a buffer over-read. The vulnerability is also described as a 'safe mode' restriction-bypass issue, which could allow an attacker to write files in unauthorized locations and potentially execute code. The problem is caused by an array boundary error in the "sscanf()" PHP function when processing the "$1s" format specifier, allowing an attacker to reference freed memory by passing an unset variable as an argument.

Recommendations For PHP versions 4.4.3 and earlier, update to a version later than 4.4.3 to resolve the issue. For PHP versions 5.1.4 and earlier, update to a version later than 5.1.4 to resolve the issue. As a temporary workaround, consider restricting the use of the sscanf() function until a patch is available. Avoid using the "$1s" format specifier in the sscanf() function to minimize the risk of exploitation.