PHP EXT/Session HTTP Response Header Injection Vulnerability
BID:24268
Info
PHP EXT/Session HTTP Response Header Injection Vulnerability
| Bugtraq ID: | 24268 |
| Class: | Input Validation Error |
| CVE: |
CVE-2007-3799 |
| Remote: | Yes |
| Local: | No |
| Published: | May 04 2007 12:00AM |
| Updated: | Mar 19 2015 09:01AM |
| Credit: | Stefan Esser is credited with the discovery of this vulnerability. |
| Vulnerable: |
Ubuntu Ubuntu Linux 7.10 sparc Ubuntu Ubuntu Linux 7.10 powerpc Ubuntu Ubuntu Linux 7.10 i386 Ubuntu Ubuntu Linux 7.10 amd64 Ubuntu Ubuntu Linux 7.04 sparc Ubuntu Ubuntu Linux 7.04 powerpc Ubuntu Ubuntu Linux 7.04 i386 Ubuntu Ubuntu Linux 7.04 amd64 Ubuntu Ubuntu Linux 6.10 sparc Ubuntu Ubuntu Linux 6.10 powerpc Ubuntu Ubuntu Linux 6.10 i386 Ubuntu Ubuntu Linux 6.10 amd64 Ubuntu Ubuntu Linux 6.06 LTS sparc Ubuntu Ubuntu Linux 6.06 LTS powerpc Ubuntu Ubuntu Linux 6.06 LTS i386 Ubuntu Ubuntu Linux 6.06 LTS amd64 SuSE SUSE Linux Enterprise Server 9 SP3 SuSE SUSE Linux Enterprise Server 8 SuSE SUSE Linux Enterprise Server 10 SP1 SuSE SUSE Linux Enterprise Server 10 SuSE SUSE Linux Enterprise SDK 9 SuSE SUSE Linux Enterprise SDK 10.SP1 SuSE SUSE Linux Enterprise SDK 10 SuSE SUSE Linux Enterprise Desktop 10 SP1 SuSE SUSE Linux Enterprise Desktop 10 SuSE Linux Professional 10.2 x86_64 SuSE Linux Personal 10.2 x86_64 S.u.S.E. UnitedLinux 1.0 S.u.S.E. SuSE Linux Standard Server 8.0 S.u.S.E. SuSE Linux School Server for i386 S.u.S.E. SUSE LINUX Retail Solution 8.0 S.u.S.E. SuSE Linux Openexchange Server 4.0 S.u.S.E. openSUSE 10.2 S.u.S.E. Open-Enterprise-Server 1 S.u.S.E. Open-Enterprise-Server 0 S.u.S.E. Office Server S.u.S.E. Novell Linux POS 9 S.u.S.E. Novell Linux Desktop 9.0 S.u.S.E. Linux Professional 10.0 OSS S.u.S.E. Linux Professional 10.0 S.u.S.E. Linux Professional 10.2 S.u.S.E. Linux Professional 10.1 S.u.S.E. Linux Personal 10.0 OSS S.u.S.E. Linux Personal 10.2 S.u.S.E. Linux Personal 10.1 S.u.S.E. Linux Openexchange Server S.u.S.E. Linux Office Server S.u.S.E. Linux Desktop 1.0 S.u.S.E. Linux Desktop 10 S.u.S.E. Linux 10.1 x86-64 S.u.S.E. Linux 10.1 x86 S.u.S.E. Linux 10.1 ppc S.u.S.E. Linux 10.0 x86-64 S.u.S.E. Linux 10.0 x86 S.u.S.E. Linux 10.0 ppc rPath rPath Linux 1 RedHat Enterprise Linux WS 4 RedHat Enterprise Linux WS 3 RedHat Enterprise Linux WS 2.1 IA64 RedHat Enterprise Linux WS 2.1 RedHat Enterprise Linux ES 4 RedHat Enterprise Linux ES 3 RedHat Enterprise Linux ES 2.1 IA64 RedHat Enterprise Linux ES 2.1 RedHat Enterprise Linux Desktop Workstation 5 client RedHat Desktop 4.0 RedHat Desktop 3.0 RedHat Application Stack v1 for Enterprise Linux ES 4 RedHat Application Stack v1 for Enterprise Linux AS 4 RedHat Advanced Workstation for the Itanium Processor 2.1 IA64 RedHat Advanced Workstation for the Itanium Processor 2.1 Red Hat Fedora Core6 Red Hat Enterprise Linux AS 4 Red Hat Enterprise Linux AS 3 Red Hat Enterprise Linux AS 2.1 IA64 Red Hat Enterprise Linux AS 2.1 Red Hat Enterprise Linux 5 Server PHP PHP 5.2.3 PHP PHP 5.2.2 PHP PHP 5.2.1 PHP PHP 5.1.6 PHP PHP 5.1.5 PHP PHP 5.1.4 PHP PHP 5.1.3 -RC1 PHP PHP 5.1.3 PHP PHP 5.1.2 PHP PHP 5.1.1 PHP PHP 5.1 PHP PHP 5.0.5 PHP PHP 5.0.4 PHP PHP 5.0.3 PHP PHP 5.0.2 PHP PHP 5.0.1 PHP PHP 5.0 candidate 3 PHP PHP 5.0 candidate 2 PHP PHP 5.0 candidate 1 PHP PHP 5.0 .0 PHP PHP 4.4.7 PHP PHP 4.4.6 PHP PHP 4.4.5 PHP PHP 4.4.4 PHP PHP 4.4.3 PHP PHP 4.4.2 PHP PHP 4.4.1 PHP PHP 4.4 .0 PHP PHP 4.3.11 PHP PHP 4.3.10 PHP PHP 4.3.9 PHP PHP 4.3.8 PHP PHP 4.3.7 PHP PHP 4.3.6 PHP PHP 4.3.5 PHP PHP 4.3.4 PHP PHP 4.3.3 PHP PHP 4.3.2 PHP PHP 4.3.1 PHP PHP 4.3 PHP PHP 4.2.3 PHP PHP 4.2.2 PHP PHP 4.2.1 PHP PHP 4.2 .0 PHP PHP 4.2 -dev PHP PHP 4.1.2 PHP PHP 4.1.1 PHP PHP 4.1 .0 PHP PHP 4.0.7 RC3 PHP PHP 4.0.7 RC2 PHP PHP 4.0.7 RC1 PHP PHP 4.0.7 PHP PHP 4.0.6 PHP PHP 4.0.5 PHP PHP 4.0.4 PHP PHP 4.0.3 pl1 PHP PHP 4.0.3 PHP PHP 4.0.2 PHP PHP 4.0.1 pl2 PHP PHP 4.0.1 pl1 PHP PHP 4.0.1 PHP PHP 4.0 0 PHP PHP 5.2 Mandriva Linux Mandrake 2007.1 x86_64 Mandriva Linux Mandrake 2007.1 Mandriva Linux Mandrake 2007.0 x86_64 Mandriva Linux Mandrake 2007.0 MandrakeSoft Multi Network Firewall 2.0 MandrakeSoft Corporate Server 4.0 x86_64 MandrakeSoft Corporate Server 3.0 x86_64 MandrakeSoft Corporate Server 3.0 MandrakeSoft Corporate Server 4.0 F5 FirePass 6.0.3 F5 FirePass 6.0.2 F5 FirePass 6.0.1 F5 FirePass 7.0 F5 FirePass 6.1 F5 FirePass 6.0.2.3 F5 FirePass 6.0 F5 BigIP Local Traffic Manager (LTM) 8900 10.2.1 HFA3 F5 BigIP Local Traffic Manager (LTM) 6400 10.2.1 HFA3 F5 BigIP Link Controller 10.1 F5 BigIP Link Controller 10.0.1 F5 BigIP Link Controller 10.0 F5 BigIP Global Traffic Manager (GTM) 10.1 F5 BigIP Global Traffic Manager (GTM) 10.0.1 F5 BigIP Global Traffic Manager (GTM) 10.0 F5 BigIP Application Security Manager (ASM) 10.1 F5 BigIP Application Security Manager (ASM) 10.0.1 F5 BigIP Application Security Manager (ASM) 10.0 F5 BIG-IP Protocol Security Manager 10.1 F5 BIG-IP Protocol Security Manager 10.0 Debian Linux 4.0 sparc Debian Linux 4.0 s/390 Debian Linux 4.0 powerpc Debian Linux 4.0 mipsel Debian Linux 4.0 mips Debian Linux 4.0 m68k Debian Linux 4.0 ia-64 Debian Linux 4.0 ia-32 Debian Linux 4.0 hppa Debian Linux 4.0 arm Debian Linux 4.0 amd64 Debian Linux 4.0 alpha Debian Linux 4.0 Avaya Messaging Storage Server MM3.0 Avaya Messaging Storage Server 3.1 Avaya Message Networking MN 3.1 Avaya Message Networking 3.1 Avaya Intuity AUDIX LX 2.0 Avaya Communication Manager 4.0 Avaya Communication Manager 3.1 Avaya Aura Application Enablement Services 4.0.1 Avaya Aura Application Enablement Services 3.1.4 Avaya Aura Application Enablement Services 3.1.3 Avaya Aura Application Enablement Services 4.0 Avaya Aura Application Enablement Services 3.1 Avaya Aura Application Enablement Services 3.0 Apple Mac OS X Server 10.5.2 Apple Mac OS X Server 10.4.11 Apple Mac OS X 10.4.11 |
| Not Vulnerable: | |
Discussion
PHP EXT/Session HTTP Response Header Injection Vulnerability
PHP is prone to an HTTP-response-header-injection vulnerability because it fails to sanitize user-supplied input.
An attacker can exploit this issue to inject additional cookie attributes into session cookies. This may lead to other attacks.
This issue affects PHP 5.2.3 (and prior versions) and PHP 4.4.7 (and prior versions).
PHP is prone to an HTTP-response-header-injection vulnerability because it fails to sanitize user-supplied input.
An attacker can exploit this issue to inject additional cookie attributes into session cookies. This may lead to other attacks.
This issue affects PHP 5.2.3 (and prior versions) and PHP 4.4.7 (and prior versions).
Exploit / POC
PHP EXT/Session HTTP Response Header Injection Vulnerability
To exploit this issue, an attacker must entice an unsuspecting victim into following a malicious URI.
The following proof of concept is available:
http://www.example.com/session.php/PHPSESSID=ID;INJECTED=ATTRIBUTE;/
To exploit this issue, an attacker must entice an unsuspecting victim into following a malicious URI.
The following proof of concept is available:
http://www.example.com/session.php/PHPSESSID=ID;INJECTED=ATTRIBUTE;/
Solution / Fix
PHP EXT/Session HTTP Response Header Injection Vulnerability
Solution:
Please see the referenced advisories for more information.
Apple Mac OS X 10.4.11
Apple Mac OS X Server 10.4.11
Apple Mac OS X Server 10.5.2
Solution:
Please see the referenced advisories for more information.
Apple Mac OS X 10.4.11
-
Apple SecUpd2008-002PPC.dmg
http://wsidecar.apple.com/cgi-bin/nph-reg3rdpty2.pl/product=18157&cat= 57&platform=osx&method=sa/SecUpd2008-002PPC.dmg -
Apple SecUpd2008-002Univ.dmg
http://wsidecar.apple.com/cgi-bin/nph-reg3rdpty2.pl/product=18157&cat= 57&platform=osx&method=sa/SecUpd2008-002Univ.dmg
Apple Mac OS X Server 10.4.11
-
Apple SecUpdSrvr2008-002PPC.dmg
http://wsidecar.apple.com/cgi-bin/nph-reg3rdpty2.pl/product=18157&cat= 57&platform=osx&method=sa/SecUpdSrvr2008-002PPC.dmg -
Apple SecUpdSrvr2008-002Univ.dmg
http://wsidecar.apple.com/cgi-bin/nph-reg3rdpty2.pl/product=18157&cat= 57&platform=osx&method=sa/SecUpdSrvr2008-002Univ.dmg
Apple Mac OS X Server 10.5.2
References
PHP EXT/Session HTTP Response Header Injection Vulnerability
References:
References:
- PHP Homepage (PHP)
- PMOPB-46-2007:PHP ext/session Session Cookie Parameter Injection Vulnerability (Stefan Essar )
- [USN-549-1] PHP vulnerabilities (Kees Cook
) - ASA-2007-449 PHP security updates (RHSA-2007-0888, RHSA-2007-0889 & RHSA-2007-08 (Avaya)
- RHSA-2007:0888-2 - php security update (Red Hat)
- RHSA-2007:0889-5 php security update (Red Hat)
- RHSA-2007:0890-2 php security update (Red Hat)
- RHSA-2007:0891-5 php security update (Red Hat)
- sol13519: Multiple PHP vulnerabilities (F5 Networks)