|
|
CVE Reference: CVE-2006-4433 |
|
| NOTE: The text on this page is written by CVE MITRE and reflects neither the opinions of Secunia or the results of our research. All data on this page is written and maintained by CVE MITRE. | |
|
Original Page at CVE MITRE: CVE-2006-4433 |
|
|
Description: PHP before 4.4.3 and 5.x before 5.1.4 does not limit the character set of the session identifier (PHPSESSID) for third party session handlers, which might make it easier for remote attackers to exploit other vulnerabilities by inserting PHP code into the PHPSESSID, which is stored in the session file. NOTE: it could be argued that this not a vulnerability in PHP itself, rather a design limitation that enables certain attacks against session handlers that do not account for this limitation. |
|
|
CVE Status: Candidate |
|
|
References: SREASON http://securityreason.com/securityalert/1466 SAID Secunia Advisory: SA21573 OSVDB 28233 28273 MISC http://www.hardened-php.net/advisory_052006.128.html BUGTRAQ http://www.securityfocus.com/archive/1/archive/1/444263/100/0/threaded |
|
| Return to the previous page. |
