CVE-2004-1020 in PHP
Summary
by MITRE
The addslashes function in PHP 4.3.9 does not properly escape a NULL (/0) character, which may allow remote attackers to read arbitrary files in PHP applications that contain a directory traversal vulnerability in require or include statements, but are otherwise protected by the magic_quotes_gpc mechanism. NOTE: this issue was originally REJECTed by its CNA before publication, but that decision is in active dispute. This candidate may change significantly in the future as a result of further discussion.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 07/07/2025
The vulnerability described in CVE-2004-1020 represents a critical security flaw in PHP's addslashes function implementation within version 4.3.9. This issue stems from the improper handling of NULL characters during string escaping operations, creating a potential avenue for attackers to bypass security mechanisms that should protect against directory traversal attacks. The vulnerability specifically affects PHP applications that utilize require or include statements while benefiting from the magic_quotes_gpc protection mechanism, establishing a complex attack vector that combines multiple security layers.
The technical flaw manifests when the addslashes function fails to properly escape NULL characters, which are represented as /0 in string contexts. This incomplete escaping allows attackers to manipulate input data in ways that can circumvent the intended security protections. The vulnerability becomes particularly dangerous when combined with directory traversal vulnerabilities present in require or include statements, as it enables attackers to construct malicious input that can traverse directory structures and access files that should remain protected. The magic_quotes_gpc mechanism, designed to automatically escape certain characters in GET, POST, and COOKIE data, provides a false sense of security that this vulnerability exploits.
The operational impact of this vulnerability extends beyond simple file access, as it represents a sophisticated attack pattern that can be used to achieve arbitrary file reading capabilities within affected PHP applications. Attackers can leverage this flaw to bypass the typical protections provided by magic_quotes_gpc, potentially accessing sensitive configuration files, database credentials, or other critical application data. The vulnerability's significance is heightened by its potential to be combined with other directory traversal issues, creating a multi-layered attack approach that can be particularly devastating in web applications where file inclusion mechanisms are commonly used.
This vulnerability aligns with CWE-115, which addresses improper encoding or escaping of data, and demonstrates how seemingly minor implementation flaws in core functions can create significant security risks. The attack vector corresponds to techniques described in the ATT&CK framework under T1059.007 for command and scripting interpreter, specifically targeting application-level vulnerabilities. The issue also relates to T1566 for phishing with social engineering and T1083 for file and directory discovery, as attackers can use this vulnerability to enumerate system resources and discover sensitive files. Organizations should consider this vulnerability in the context of broader application security practices, particularly those involving input validation and output encoding. The disputed nature of this CVE highlights the complexity of vulnerability classification and the need for careful analysis of security flaws in widely used software components. Mitigation strategies should focus on immediate PHP version updates, enhanced input validation, and comprehensive security auditing of file inclusion mechanisms within applications.