CVE-2006-3016 - Secunia Advisories - Vulnerability Intelligence

CVE Reference: CVE-2006-3016
NOTE: The text on this page is written by CVE MITRE and reflects neither the opinions of Secunia or the results of our research. All data on this page is written and maintained by CVE MITRE.

Original Page at CVE MITRE: CVE-2006-3016

Description: Unspecified vulnerability in session.c in PHP before 5.1.3 has unknown impact and attack vectors, related to "certain characters in session names," including special characters that are frequently associated with CRLF injection, SQL injection, cross-site scripting (XSS), and HTTP response splitting vulnerabilities. NOTE: while the nature of the vulnerability is unspecified, it is likely that this is related to a violation of an expectation by PHP applications that the session name is alphanumeric, as implied in the PHP manual for session_name().

CVE Status: Candidate

References: UBUNTU http://www.ubuntu.com/usn/usn-320-1 TURBO http://www.turbolinux.com/security/2006/TLSA-2006-38.txt ST 1016306 SGI SAID Secunia Advisory: SA19927 Secunia Advisory: SA21050 Secunia Advisory: SA22004 Secunia Advisory: SA22069 Secunia Advisory: SA22225 Secunia Advisory: SA22440 Secunia Advisory: SA22487 Secunia Advisory: SA23247 REDHAT http://rhn.redhat.com/errata/RHSA-2006-0736.html http://www.redhat.com/support/errata/RHSA-2006-0682.html http://www.redhat.com/support/errata/RHSA-2006-0669.html OSVDB 25253 MANDRIVA http://frontal2.mandriva.com/security/advisories?name=MDKSA-2006:122 CONFIRM http://support.avaya.com/elmodocs2/security/ASA-2006-221.htm http://support.avaya.com/elmodocs2/security/ASA-2006-222.htm http://www.php.net/release_5_1_3.php BUGTRAQ http://www.securityfocus.com/archive/1/archive/1/447866/100/0/threaded BID 17843

Return to the previous page.