Rapid7 Vulnerability & Exploit Database

PHP Session Name Vulnerability

Back to Search

PHP Session Name Vulnerability

Severity
9
CVSS
(AV:N/AC:M/Au:N/C:C/I:C/A:C)
Published
08/03/2006
Created
07/25/2018
Added
08/03/2006
Modified
05/27/2016

Description

Unspecified vulnerability in session.c in PHP before 5.1.3 has unknown impact and attack vectors, related to "certain characters in session names," including special characters that are frequently associated with CRLF injection, SQL injection, cross-site scripting (XSS), and HTTP response splitting vulnerabilities. NOTE: while the nature of the vulnerability is unspecified, it is likely that this is related to a violation of an expectation by PHP applications that the session name is alphanumeric, as implied in the PHP manual for session_name().

Solution(s)

  • php-upgrade-4_4_3

With Rapid7 live dashboards, I have a clear view of all the assets on my network, which ones can be exploited, and what I need to do in order to reduce the risk in my environment in real-time. No other tool gives us that kind of value and insight.

– Scott Cheney, Manager of Information Security, Sierra View Medical Center

;