National Cyber-Alert System
Vulnerability Summary: CVE-2004-1019
Orirignal release date: 2005-01-10
Source: US-CERT/NIST

Overview

    The deserialization code in PHP before 4.3.10 and PHP 5.x up to 5.0.2 allows remote attackers to cause a denial of service and execute arbitrary code via untrusted data to the unserialize function that may trigger "information disclosure, double free and negative reference index array underflow" results.

Impact

    CVSS Severity: 10 (High)
    Range: remote
    Authentication: design
    Impact Type: avail,sec_prot admin="1" user="1"

Reference to Advisories, Solutions, and Tools

Vulnerable Software and Vendor

    Ubuntu Linux (Ubuntu)
    PHP (PHP)
    Secure Linux (Trustix)
    Secure Enterprise Linux (Trustix)
    OpenPKG (OpenPKG)

Technical Details

CVE Standard Vulnerability Entry: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-1019