CVE-2007-3799

CVE Details

Release Date:2007-07-16
Impact:Low What is this?

Description


The session_start function in ext/session in PHP 4.x up to 4.4.7 and 5.x up to 5.2.3 allows remote attackers to insert arbitrary attributes into the session cookie via special characters in a cookie that is obtained from (1) PATH_INFO, (2) the session_id function, and (3) the session_start function, which are not encoded or filtered when the new session cookie is generated, a related issue to CVE-2006-0207.

See more information about CVE-2007-3799 from MITRE CVE dictionary and NIST NVD


NOTE: The following CVSS metrics and score provided are preliminary and subject to review.


CVSS v2 metrics

Base Score: 4.3
Vector String: AV:N/AC:M/Au:N/C:N/I:P/A:N
Version: 2.0
Attack Vector: Network
Attack Complexity: Medium
Authentication: None
Confidentiality Impact: None
Integrity Impact: Partial
Availability Impact: None

Errata information


PlatformErrataRelease Date
Oracle Enterprise Linux version 4 (php)ELSA-2007-08902007-09-20
Oracle Linux version 5 (php)ELSA-2007-08902007-09-20


This page is generated automatically and has not been checked for errors or omissions. For clarification or corrections:

software.hardware.complete