CVE-2007-3799

NameCVE-2007-3799
DescriptionThe session_start function in ext/session in PHP 4.x up to 4.4.7 and 5.x up to 5.2.3 allows remote attackers to insert arbitrary attributes into the session cookie via special characters in a cookie that is obtained from (1) PATH_INFO, (2) the session_id function, and (3) the session_start function, which are not encoded or filtered when the new session cookie is generated, a related issue to CVE-2006-0207.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SuSE, Mageia, GitHub code/issues, web search, more)
ReferencesDSA-1444-1, DSA-1578-1, DTSA-61-1
NVD severitymedium (attack range: remote)
Debian Bugs441433

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
php5 (PTS)wheezy5.4.45-0+deb7u2fixed
wheezy (security)5.4.45-0+deb7u5fixed
jessie (security), jessie5.6.24+dfsg-0+deb8u1fixed
sid5.6.26+dfsg-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
php4source(unstable)(unfixed)low
php4sourceetch6:4.4.4-8+etch6mediumDSA-1578-1
php5source(unstable)5.2.4-1low441433
php5sourceetch5.2.0-8+etch9mediumDSA-1444-1
php5sourcelenny5.2.3-1+lenny1mediumDTSA-61-1

Notes

this does not affect default installs, only those who have written
custom session handlers (which isn't *that* uncommon though), and
also may not work if other cookie values are set.
fix sneaked into php 5.2.3 sans-mention:
http://cvs.php.net/viewvc.cgi/php-src/ext/session/session.c?r1=1.417.2.8.2.36&r2=1.417.2.8.2.37&pathrev=PHP_5_2
fixed in php4/etch, php5/etch, php4/sarge svn

Search for package or bug name: Reporting problems