cve/2020/CVE-2020-7067.md

### [CVE-2020-7067](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7067)
![](https://img.shields.io/static/v1?label=Product&message=PHP&color=blue)
![](https://img.shields.io/static/v1?label=Version&message=n%2Fa&color=blue)
![](https://img.shields.io/static/v1?label=Vulnerability&message=CWE-125%20Out-of-bounds%20Read&color=brighgreen)
![](https://img.shields.io/static/v1?label=Vulnerability&message=CWE-196%20Unsigned%20to%20Signed%20Conversion%20Error&color=brighgreen)

### Description

In PHP versions 7.2.x below 7.2.30, 7.3.x below 7.3.17 and 7.4.x below 7.4.5, if PHP is compiled with EBCDIC support (uncommon), urldecode() function can be made to access locations past the allocated memory, due to erroneously using signed numbers as array indexes.

### POC

#### Reference
- https://bugs.php.net/bug.php?id=79465
- https://bugs.php.net/bug.php?id=79465
- https://www.oracle.com/security-alerts/cpuApr2021.html
- https://www.oracle.com/security-alerts/cpuApr2021.html
- https://www.oracle.com/security-alerts/cpuoct2020.html
- https://www.oracle.com/security-alerts/cpuoct2020.html

#### Github
- https://github.com/0xbigshaq/php7-internals
- https://github.com/RClueX/Hackerone-Reports
- https://github.com/imhunterand/hackerone-publicy-disclosed
- https://github.com/vincd/search-cve
Update Sat May 25 21:48:12 CEST 2024 2024-05-25 21:48:12 +02:00			`### [CVE-2020-7067](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7067)`
			`![](https://img.shields.io/static/v1?label=Product&message=PHP&color=blue)`
			`![](https://img.shields.io/static/v1?label=Version&message=n%2Fa&color=blue)`
			`![](https://img.shields.io/static/v1?label=Vulnerability&message=CWE-125%20Out-of-bounds%20Read&color=brighgreen)`
			`![](https://img.shields.io/static/v1?label=Vulnerability&message=CWE-196%20Unsigned%20to%20Signed%20Conversion%20Error&color=brighgreen)`

			`### Description`

			`In PHP versions 7.2.x below 7.2.30, 7.3.x below 7.3.17 and 7.4.x below 7.4.5, if PHP is compiled with EBCDIC support (uncommon), urldecode() function can be made to access locations past the allocated memory, due to erroneously using signed numbers as array indexes.`

			`### POC`

			`#### Reference`
			`- https://bugs.php.net/bug.php?id=79465`
Update CVE sources 2024-06-09 00:33 2024-06-09 00:33:16 +00:00			`- https://bugs.php.net/bug.php?id=79465`
Update Sat May 25 21:48:12 CEST 2024 2024-05-25 21:48:12 +02:00			`- https://www.oracle.com/security-alerts/cpuApr2021.html`
Update CVE sources 2024-06-09 00:33 2024-06-09 00:33:16 +00:00			`- https://www.oracle.com/security-alerts/cpuApr2021.html`
Update Sat May 25 21:48:12 CEST 2024 2024-05-25 21:48:12 +02:00			`- https://www.oracle.com/security-alerts/cpuoct2020.html`
Update CVE sources 2024-06-09 00:33 2024-06-09 00:33:16 +00:00			`- https://www.oracle.com/security-alerts/cpuoct2020.html`
Update Sat May 25 21:48:12 CEST 2024 2024-05-25 21:48:12 +02:00
			`#### Github`
			`- https://github.com/0xbigshaq/php7-internals`
			`- https://github.com/RClueX/Hackerone-Reports`
			`- https://github.com/imhunterand/hackerone-publicy-disclosed`
			`- https://github.com/vincd/search-cve`