U.S. flag   An official website of the United States government
Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Https

Secure .gov websites use HTTPS
A lock (Dot gov) or https:// means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.

CVE-2006-1017 Detail

Current Description

The c-client library 2000, 2001, or 2004 for PHP before 4.4.4 and 5.x before 5.1.5 do not check the (1) safe_mode or (2) open_basedir functions, and when used in applications that accept user-controlled input for the mailbox argument to the imap_open function, allow remote attackers to obtain access to an IMAP stream data structure and conduct unauthorized IMAP actions.


View Analysis Description

Metrics

NVD enrichment efforts reference publicly available information to associate vector strings. CVSS information contributed by other sources is also displayed.
CVSS 4.0 Severity and Vector Strings:

NIST CVSS score
NIST: NVD
N/A
NVD assessment not yet provided.

Vendor Statements (disclaimer)

Official Statement from Red Hat (10/30/2008)

We do not consider safe_mode / open_basedir restriction bypass issues being security sensitive. For more details see http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=169857#c1 and http://www.php.net/security-note.php

References to Advisories, Solutions, and Tools

By selecting these links, you will be leaving NIST webspace. We have provided these links to other web sites because they may have information that would be of interest to you. No inferences should be drawn on account of other sites being referenced, or not, from this page. There may be other web sites that are more appropriate for your purpose. NIST does not necessarily endorse the views expressed, or concur with the facts presented on these sites. Further, NIST does not endorse any commercial products that may be mentioned on these sites. Please address comments about this page to [email protected].

URL Source(s) Tag(s)
http://bugs.php.net/bug.php?id=37265 CVE, MITRE
http://secunia.com/advisories/18694 CVE, MITRE Vendor Advisory 
http://secunia.com/advisories/21050 CVE, MITRE Vendor Advisory 
http://secunia.com/advisories/21546 CVE, MITRE Vendor Advisory 
http://securityreason.com/securityalert/516 CVE, MITRE
http://www.mandriva.com/security/advisories?name=MDKSA-2006:122 CVE, MITRE
http://www.osvdb.org/23535 CVE, MITRE
http://www.php.net/ChangeLog-5.php#5.1.5 CVE, MITRE
http://www.php.net/release_5_1_5.php CVE, MITRE
http://www.securityfocus.com/archive/1/426339/100/0/threaded CVE, MITRE
http://www.vupen.com/english/advisories/2006/0772 CVE, MITRE Vendor Advisory 
https://exchange.xforce.ibmcloud.com/vulnerabilities/24964 CVE, MITRE

Weakness Enumeration

CWE-ID CWE Name Source
NVD-CWE-Other Other cwe source acceptance level NIST  

Known Affected Software Configurations Switch to CPE 2.2

CPEs loading, please wait.

Denotes Vulnerable Software
Are we missing a CPE here? Please let us know.

Change History

6 change records found show changes

Quick Info

CVE Dictionary Entry:
CVE-2006-1017
NVD Published Date:
03/06/2006
NVD Last Modified:
04/02/2025
Source:
MITRE