Description

The parse_str function in PHP 4.x up to 4.4.0 and 5.x up to 5.0.5, when called with only one parameter, allows remote attackers to enable the register_globals directive via inputs that cause a request to be terminated due to the memory_limit setting, which causes PHP to set an internal flag that enables register_globals and allows attackers to exploit vulnerabilities in PHP applications that would otherwise be protected.

Remediation

References

CVE-2005-3389

Related Vulnerabilities

MySQL CVE-2017-3639 Vulnerability (CVE-2017-3639)

Oracle Database Server CVE-2018-3004 Vulnerability (CVE-2018-3004)

WordPress Plugin Logo Showcase with Slick Slider-Logo Carousel, Logo Slider & Logo Grid Cross-Site Scripting (1.2.3)

MediaWiki Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Vulnerability (CVE-2022-28202)

TYPO3 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Vulnerability (CVE-2009-3636)

Severity

Medium

Classification

CVE-2005-3389

Tags

Missing Update Known Vulnerabilities