PHP error logging format string vulnerability

Description

This alert was generated using only banner information. It may be a false positive.

The vulnerability exists in the code that handles error logging and is present if error logging is enabled in the "php.ini" configuration file. When errors are encountered by PHP, a string containing data supplied by the user is passed as the format string argument (the log_message variable) to the php_syslog() function (which contains *printf functions).

Affected PHP versions (up to 3.0.16, 4.0.2).

Remediation

Upgrade PHP to the latest version.

References
Severity
Classification
Tags
  • Missing Update