CVE-2009-0754

Published: 3 March 2009

PHP 4.4.4, 5.1.6, and other versions, when running on Apache, allows local users to modify behavior of other sites hosted on the same web server by modifying the mbstring.func_overload setting within .htaccess, which causes this setting to be applied to other virtual hosts on the same server.

Priority

Status

Package	Release	Status
php5 Launchpad, Ubuntu, Debian	upstream	Needs triage
	dapper	Released (5.1.2-1ubuntu3.14)
	gutsy	Ignored (end of life, was needed)
	hardy	Released (5.2.4-2ubuntu5.6)
	intrepid	Released (5.2.6-2ubuntu4.2)
	Patches: upstream: http://cvsweb.php.net/viewvc.cgi/php-src/ext/mbstring/mbstring.c?r1=1.276&r2=1.277

References

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0754
https://ubuntu.com/security/notices/USN-761-1
NVD
Launchpad
Debian

Bugs

http://bugs.php.net/bug.php?id=27421
https://bugzilla.redhat.com/show_bug.cgi?id=479272

Join the discussion

Ubuntu security updates mailing list
Security announcements mailing list

Canonical is offering Expanded Security Maintenance

Canonical is offering Ubuntu Expanded Security Maintenance (ESM) for security fixes and essential packages.

Find out more about ESM ›