ID CVE-2007-1522
Summary Double free vulnerability in the session extension in PHP 5.2.0 and 5.2.1 allows context-dependent attackers to execute arbitrary code via illegal characters in a session identifier, which is rejected by an internal session storage module, which calls the session identifier generator with an improper environment, leading to code execution when the generator is interrupted, as demonstrated by triggering a memory limit violation or certain PHP errors.
References
Vulnerable Configurations
  • PHP 5.2.0
    cpe:2.3:a:php:php:5.2.0
  • PHP 5.2.1
    cpe:2.3:a:php:php:5.2.1
CVSS
Base: 6.8 (as of 21-03-2007 - 15:49)
Impact:
Exploitability:
Access
VectorComplexityAuthentication
NETWORK MEDIUM NONE
Impact
ConfidentialityIntegrityAvailability
PARTIAL PARTIAL PARTIAL
exploit-db via4
description PHP 5.2.0/5.2.1 Rejected Session ID Double Free Exploit. CVE-2007-1522. Local exploit for linux platform
id EDB-ID:3480
last seen 2016-01-31
modified 2007-03-14
published 2007-03-14
reporter Stefan Esser
source https://www.exploit-db.com/download/3480/
title PHP 5.2.0/5.2.1 Rejected Session ID Double Free Exploit
nessus via4
  • NASL family CGI abuses
    NASL id PHP_4_4_7_OR_5_2_2.NASL
    description According to its banner, the version of PHP installed on the remote host is older than 4.4.7 / 5.2.2. Such versions may be affected by several issues, including buffer overflows in the GD library.
    last seen 2019-02-21
    modified 2018-07-24
    plugin id 25159
    published 2007-05-04
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=25159
    title PHP < 4.4.7 / 5.2.2 Multiple Vulnerabilities
  • NASL family SuSE Local Security Checks
    NASL id SUSE_APACHE2-MOD_PHP5-3289.NASL
    description This Update fixes numerous vulnerabilities in PHP. Most of them were made public during the 'Month of PHP Bugs'. The vulnerabilities potentially lead to crashes, information leaks or even execution of malicious code. CVE-2007-1380, CVE-2007-0988, CVE-2007-1375, CVE-2007-1454 CVE-2007-1453, CVE-2007-1521, CVE-2007-1522, CVE-2007-1376 CVE-2007-1583, CVE-2007-1460, CVE-2007-1461, CVE-2007-1484 CVE-2007-1700, CVE-2007-1717, CVE-2007-1718, CVE-2007-1001 CVE-2007-1824, CVE-2007-1889, CVE-2007-1900
    last seen 2019-02-21
    modified 2018-07-19
    plugin id 27150
    published 2007-10-17
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=27150
    title openSUSE 10 Security Update : apache2-mod_php5 (apache2-mod_php5-3289)
refmap via4
bid 22971
misc http://www.php-security.org/MOPB/MOPB-23-2007.html
secunia
  • 24505
  • 25056
suse SUSE-SA:2007:032
vupen ADV-2007-0960
statements via4
contributor Mark J Cox
lastmodified 2007-04-16
organization Red Hat
statement The PHP interpreter does not offer a reliable "sandboxed" security layer (as found in, say, a JVM) in which untrusted scripts can be run; any script run by the PHP interpreter must be trusted with the privileges of the interpreter itself. We therefore do not classify this issue as security-sensitive since no trust boundary is crossed.
Last major update 07-03-2011 - 21:52
Published 20-03-2007 - 16:19
Back to Top