|Description||The session_start function in ext/session in PHP 4.x up to 4.4.7 and 5.x up to 5.2.3 allows remote attackers to insert arbitrary attributes into the session cookie via special characters in a cookie that is obtained from (1) PATH_INFO, (2) the session_id function, and (3) the session_start function, which are not encoded or filtered when the new session cookie is generated, a related issue to CVE-2006-0207.|
|Source||CVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SuSE, Mageia, GitHub code/issues, web search, more)|
|References||DSA-1444-1, DSA-1578-1, DTSA-61-1|
|NVD severity||medium (attack range: remote)|
Vulnerable and fixed packages
The table below lists information on source packages.
|jessie (security), jessie||5.6.30+dfsg-0+deb8u1||fixed|
The information below is based on the following data on fixed versions.
this does not affect default installs, only those who have written
custom session handlers (which isn't *that* uncommon though), and
also may not work if other cookie values are set.
fix sneaked into php 5.2.3 sans-mention:
fixed in php4/etch, php5/etch, php4/sarge svn