CVE-2007-3799

PHP 4.x-4.4.7 and 5.x-5.2.3 - Session Cookie Attribute Injection via Special Characters

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2007-3799. PoCs published by Stefan Esser.

AI-analyzed exploit summary This is a writeup describing an HTTP-response-header-injection vulnerability in PHP versions 5.2.3 and prior, and PHP 4.4.7 and prior. It explains how an attacker can inject additional cookie attributes into session cookies by manipulating the URL.

Description

The session_start function in ext/session in PHP 4.x up to 4.4.7 and 5.x up to 5.2.3 allows remote attackers to insert arbitrary attributes into the session cookie via special characters in a cookie that is obtained from (1) PATH_INFO, (2) the session_id function, and (3) the session_start function, which are not encoded or filtered when the new session cookie is generated, a related issue to CVE-2006-0207.

Exploits (1)

exploitdb WRITEUP VERIFIED

by Stefan Esser · textremotephp

https://www.exploit-db.com/exploits/30130

View Code ZIP pw:eip

This is a writeup describing an HTTP-response-header-injection vulnerability in PHP versions 5.2.3 and prior, and PHP 4.4.7 and prior. It explains how an attacker can inject additional cookie attributes into session cookies by manipulating the URL.

Classification

Writeup 90%

Attack Type

Other

Complexity

Trivial

Reliability

Theoretical

Target: PHP 5.2.3 and prior, PHP 4.4.7 and prior

No auth needed

Prerequisites: A web application using PHP with session management enabled

MITRE ATT&CK

T1189 - Drive-by Compromise

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (32)

Core 32

Core References

Vendor Advisory third-party-advisory x_refsource_secunia

http://secunia.com/advisories/30288

Various Sources x_refsource_confirm

https://launchpad.net/bugs/173043

Vendor Advisory vendor-advisory x_refsource_redhat

http://www.redhat.com/support/errata/RHSA-2007-0888.html

Third Party Advisory, VDB Entry vdb-entry x_refsource_bid

http://www.securityfocus.com/bid/24268

Vendor Advisory vendor-advisory x_refsource_fedora

https://www.redhat.com/archives/fedora-package-announce/2007-September/msg00354.html

Vendor Advisory third-party-advisory x_refsource_secunia

http://secunia.com/advisories/26967

Third Party Advisory vendor-advisory x_refsource_debian

http://www.debian.org/security/2008/dsa-1444

Vendor Advisory third-party-advisory x_refsource_secunia

http://secunia.com/advisories/27351

Vendor Advisory vdb-entry x_refsource_vupen

http://www.vupen.com/english/advisories/2008/0924/references

Vendor Advisory third-party-advisory x_refsource_secunia

http://secunia.com/advisories/27864

Vendor Advisory third-party-advisory x_refsource_secunia

http://secunia.com/advisories/26930

Vendor Advisory third-party-advisory x_refsource_secunia

http://secunia.com/advisories/29420

Mailing List vendor-advisory x_refsource_apple

http://lists.apple.com/archives/security-announce/2008/Mar/msg00001.html

Vendor Advisory vendor-advisory x_refsource_redhat

http://rhn.redhat.com/errata/RHSA-2007-0889.html

Vendor Advisory vendor-advisory x_refsource_ubuntu

https://usn.ubuntu.com/549-1/

Issue Tracking x_refsource_confirm

https://issues.rpath.com/browse/RPL-1693

Vendor Advisory third-party-advisory x_refsource_secunia

http://secunia.com/advisories/28249

Third Party Advisory vendor-advisory x_refsource_debian

http://www.debian.org/security/2008/dsa-1578

Vendor Advisory third-party-advisory x_refsource_secunia

http://secunia.com/advisories/27545

Vendor Advisory x_refsource_confirm

http://support.avaya.com/elmodocs2/security/ASA-2007-449.htm

Third Party Advisory, VDB Entry vdb-entry x_refsource_osvdb

http://osvdb.org/36855

Vendor Advisory third-party-advisory x_refsource_secunia

http://secunia.com/advisories/27377

Various Sources x_refsource_misc

http://www.php-security.org/MOPB/PMOPB-46-2007.html

Vendor Advisory x_refsource_confirm

http://docs.info.apple.com/article.html?artnum=307562

Vendor Advisory vendor-advisory x_refsource_mandriva

http://www.mandriva.com/security/advisories?name=MDKSA-2007:187

Vendor Advisory third-party-advisory x_refsource_secunia

http://secunia.com/advisories/26895

Third Party Advisory, VDB Entry vdb-entry signature x_refsource_oval

https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A9792

Vendor Advisory vendor-advisory x_refsource_ubuntu

http://www.ubuntu.com/usn/usn-549-2

Vendor Advisory vendor-advisory x_refsource_redhat

http://www.redhat.com/support/errata/RHSA-2007-0890.html

Vendor Advisory vendor-advisory x_refsource_redhat

http://www.redhat.com/support/errata/RHSA-2007-0891.html

Vendor Advisory third-party-advisory x_refsource_secunia

http://secunia.com/advisories/26871

Vendor Advisory vendor-advisory x_refsource_suse

http://www.novell.com/linux/security/advisories/2007_15_sr.html

Scores

EPSS 0.0792

EPSS Percentile 94.0%

Details

CWE

CWE-20

Status published

Products (39)

php/php 4.0 beta_4_patch1 (5 CPE variants)

php/php 4.0.0

php/php 4.0.1

php/php 4.0.2

php/php 4.0.3

php/php 4.0.4

php/php 4.0.5

php/php 4.0.6

php/php 4.0.7

php/php 4.1.0

... and 29 more

Published Jul 16, 2007

Tracked Since Feb 18, 2026