Description
This alert was generated using only banner information. It may be a false positive.
The vulnerability exists in the code that handles error logging and is present if error logging is enabled in the "php.ini" configuration file. When errors are encountered by PHP, a string containing data supplied by the user is passed as the format string argument (the log_message variable) to the php_syslog() function (which contains *printf functions).
Affected PHP versions (up to 3.0.16, 4.0.2).
Remediation
Upgrade PHP to the latest version.
References
