Description
The session_start function in ext/session in PHP 4.x up to 4.4.7 and 5.x up to 5.2.3 allows remote attackers to insert arbitrary attributes into the session cookie via special characters in a cookie that is obtained from (1) PATH_INFO, (2) the session_id function, and (3) the session_start function, which are not encoded or filtered when the new session cookie is generated, a related issue to CVE-2006-0207.
Exploits (1)
exploitdb
WRITEUP
VERIFIED
by Stefan Esser · textremotephp
https://www.exploit-db.com/exploits/30130
References (32)
Core 32
Core References
Vendor Advisory third-party-advisory
x_refsource_secunia
http://secunia.com/advisories/30288
Various Sources x_refsource_confirm
https://launchpad.net/bugs/173043
Vendor Advisory vendor-advisory
x_refsource_redhat
http://www.redhat.com/support/errata/RHSA-2007-0888.html
Third Party Advisory, VDB Entry vdb-entry
x_refsource_bid
http://www.securityfocus.com/bid/24268
Vendor Advisory vendor-advisory
x_refsource_fedora
https://www.redhat.com/archives/fedora-package-announce/2007-September/msg00354.html
Vendor Advisory third-party-advisory
x_refsource_secunia
http://secunia.com/advisories/26967
Third Party Advisory vendor-advisory
x_refsource_debian
http://www.debian.org/security/2008/dsa-1444
Vendor Advisory third-party-advisory
x_refsource_secunia
http://secunia.com/advisories/27351
Vendor Advisory vdb-entry
x_refsource_vupen
http://www.vupen.com/english/advisories/2008/0924/references
Vendor Advisory third-party-advisory
x_refsource_secunia
http://secunia.com/advisories/27864
Vendor Advisory third-party-advisory
x_refsource_secunia
http://secunia.com/advisories/26930
Vendor Advisory third-party-advisory
x_refsource_secunia
http://secunia.com/advisories/29420
Mailing List vendor-advisory
x_refsource_apple
http://lists.apple.com/archives/security-announce/2008/Mar/msg00001.html
Vendor Advisory vendor-advisory
x_refsource_redhat
http://rhn.redhat.com/errata/RHSA-2007-0889.html
Vendor Advisory vendor-advisory
x_refsource_ubuntu
https://usn.ubuntu.com/549-1/
Issue Tracking x_refsource_confirm
https://issues.rpath.com/browse/RPL-1693
Vendor Advisory third-party-advisory
x_refsource_secunia
http://secunia.com/advisories/28249
Third Party Advisory vendor-advisory
x_refsource_debian
http://www.debian.org/security/2008/dsa-1578
Vendor Advisory third-party-advisory
x_refsource_secunia
http://secunia.com/advisories/27545
Vendor Advisory x_refsource_confirm
http://support.avaya.com/elmodocs2/security/ASA-2007-449.htm
Third Party Advisory, VDB Entry vdb-entry
x_refsource_osvdb
http://osvdb.org/36855
Vendor Advisory third-party-advisory
x_refsource_secunia
http://secunia.com/advisories/27377
Various Sources x_refsource_misc
http://www.php-security.org/MOPB/PMOPB-46-2007.html
Vendor Advisory x_refsource_confirm
http://docs.info.apple.com/article.html?artnum=307562
Vendor Advisory vendor-advisory
x_refsource_mandriva
http://www.mandriva.com/security/advisories?name=MDKSA-2007:187
Vendor Advisory third-party-advisory
x_refsource_secunia
http://secunia.com/advisories/26895
Third Party Advisory, VDB Entry vdb-entry
signature
x_refsource_oval
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A9792
Vendor Advisory vendor-advisory
x_refsource_ubuntu
http://www.ubuntu.com/usn/usn-549-2
Vendor Advisory vendor-advisory
x_refsource_redhat
http://www.redhat.com/support/errata/RHSA-2007-0890.html
Vendor Advisory vendor-advisory
x_refsource_redhat
http://www.redhat.com/support/errata/RHSA-2007-0891.html
Vendor Advisory third-party-advisory
x_refsource_secunia
http://secunia.com/advisories/26871
Vendor Advisory vendor-advisory
x_refsource_suse
http://www.novell.com/linux/security/advisories/2007_15_sr.html
Scores
EPSS
0.0925
EPSS Percentile
92.7%
Details
CWE
CWE-20
Status
published
Products (39)
php/php
4.0 beta_4_patch1 (5 CPE variants)
php/php
4.0.0
php/php
4.0.1
php/php
4.0.2
php/php
4.0.3
php/php
4.0.4
php/php
4.0.5
php/php
4.0.6
php/php
4.0.7
php/php
4.1.0
... and 29 more
Published
Jul 16, 2007
Tracked Since
Feb 18, 2026