CVE-2004-1020

Name: CVE-2004-1020
Creator: NVD / NIST
Published: 2005-01-10T05:00:00+00:00
License: https://creativecommons.org/publicdomain/zero/1.0/

UnknownEPSS 7.07%

Last modified Jun 16, 2026

CVE-2004-1020 is a vulnerability of currently unknown severity. The addslashes function in PHP 4.3.9 does not properly escape a NULL (/0) character, which may allow remote attackers to read arbitrary files in PHP applications that contain a directory traversal vulnerability in require or include statements, but are otherwise protected by the magic_quotes_gpc mechanism. NOTE: this issue was originally REJECTed by its CNA before publication, but that decision is in active dispute. EPSS estimates a 7.07% chance of exploitation in the next 30 days.

Description

The addslashes function in PHP 4.3.9 does not properly escape a NULL (/0) character, which may allow remote attackers to read arbitrary files in PHP applications that contain a directory traversal vulnerability in require or include statements, but are otherwise protected by the magic_quotes_gpc mechanism. NOTE: this issue was originally REJECTed by its CNA before publication, but that decision is in active dispute. This candidate may change significantly in the future as a result of further discussion.

Metrics

EPSS Probability

7.07%

93.4th percentile

Probability of exploitation in the next 30 days. Learn more

Affected Software

Vendor	Product	Versions	Update
Php	Php	4.3.6	—
Php	Php	4.3.7	—
Php	Php	4.3.8	—
Php	Php	4.3.9	—
Php	Php	5.0	Rc1
Php	Php	5.0.0	—
Php	Php	5.0.1	—
Php	Php	5.0.2	—

References

http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000915
http://www.gentoo.org/security/en/glsa/glsa-200412-14.xmlVendor Advisory
http://www.mandriva.com/security/advisories?name=MDKSA-2004:151
http://www.php.net/release_4_3_10.phpVendor Advisory
http://www.securityfocus.com/advisories/9028
http://www.securityfocus.com/archive/1/384663Exploit, Vendor Advisory
http://www.securityfocus.com/bid/11981Exploit, Patch
https://exchange.xforce.ibmcloud.com/vulnerabilities/18516
http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000915
http://www.gentoo.org/security/en/glsa/glsa-200412-14.xmlVendor Advisory
http://www.mandriva.com/security/advisories?name=MDKSA-2004:151
http://www.php.net/release_4_3_10.phpVendor Advisory
http://www.securityfocus.com/advisories/9028
http://www.securityfocus.com/archive/1/384663Exploit, Vendor Advisory
http://www.securityfocus.com/bid/11981Exploit, Patch
https://exchange.xforce.ibmcloud.com/vulnerabilities/18516

Timeline

Published: Jan 10, 2005
Last Modified: Jun 16, 2026
Status: Modified

Frequently Asked Questions

What is CVE-2004-1020?

How severe is CVE-2004-1020?

Severity scoring for CVE-2004-1020 is pending analysis. The EPSS model estimates a 7.07% probability of exploitation in the next 30 days.

How do I fix CVE-2004-1020?

Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2004-1020?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST