CVE-2016-4070

CVSS v2.0

7.8

High

Vector

AV:N/AC:L/Au:N/C:N/I:N/A:C

Name of the Vulnerable Software and Affected Versions PHP versions prior to 5.5.34 PHP versions 5.6.x prior to 5.6.20 PHP versions 7.x prior to 7.0.5

Description The issue is related to an integer overflow in the php raw url encode function, which can be exploited by remote attackers to cause a denial of service (application crash) via a long string to the rawurlencode function. The vendor has expressed uncertainty about whether this qualifies as a security issue.

Recommendations For PHP versions prior to 5.5.34, update to version 5.5.34 or later. For PHP versions 5.6.x prior to 5.6.20, update to version 5.6.20 or later. For PHP versions 7.x prior to 7.0.5, update to version 7.0.5 or later. As a temporary workaround, consider restricting the input to the rawurlencode function to prevent long strings from being processed.

Exploit

Fix

DoS

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-189

Related Identifiers

BDU:2022-02553

CVE-2016-4070

DLA-499-1

DSA-3560-1

OPENSUSE-SU-2016_1274-1

OPENSUSE-SU-2016_1373-1

RHSA-2016:2750

SUSE-SU-2016:1277-1

SUSE-SU-2016:1310-1

SUSE-SU-2016:1581-1

SUSE-SU-2016:1638-1

USN-2952-1

USN-2984-1

Affected Products

Php

Suse

Ubuntu

CVE-2016-4070

Weakness Enumeration

Related Identifiers

Affected Products

References · 316