Executive Summary
Summary | |
---|---|
Title | New php4 packages fix cross-site scripting vulnerability |
Informations | |||
---|---|---|---|
Name | DSA-351 | First vendor Publication | 2003-07-16 |
Vendor | Debian | Last vendor Modification | 2003-07-16 |
Severity (Vendor) | N/A | Revision | 1 |
Security-Database Scoring CVSS v3
Cvss vector : N/A | |||
---|---|---|---|
Overall CVSS Score | NA | ||
Base Score | NA | Environmental Score | NA |
impact SubScore | NA | Temporal Score | NA |
Exploitabality Sub Score | NA | ||
Calculate full CVSS 3.0 Vectors scores |
Security-Database Scoring CVSS v2
Cvss vector : (AV:N/AC:M/Au:N/C:N/I:P/A:N) | |||
---|---|---|---|
Cvss Base Score | 4.3 | Attack Range | Network |
Cvss Impact Score | 2.9 | Attack Complexity | Medium |
Cvss Expoit Score | 8.6 | Authentication | None Required |
Calculate full CVSS 2.0 Vectors scores |
Detail
The transparent session ID feature in the php4 package does not properly escape user-supplied input before inserting it into the generated HTML page. An attacker could use this vulnerability to execute embedded scripts within the context of the generated page. For the stable distribution (woody) this problem has been fixed in version 4:4.1.2-6woody3. For the unstable distribution (sid) this problem will be fixed soon. Refer to Debian bug #200736. We recommend that you update your php4 package. |
Original Source
Url : http://www.debian.org/security/2003/dsa-351 |
OVAL Definitions
Definition Id: oval:org.mitre.oval:def:485 | |||
Oval ID: | oval:org.mitre.oval:def:485 | ||
Title: | PH Cross-site Scripting Vulnerability | ||
Description: | Cross-site scripting (XSS) vulnerability in the transparent SID support capability for PHP before 4.3.2 (session.use_trans_sid) allows remote attackers to insert arbitrary script via the PHPSESSID parameter. | ||
Family: | unix | Class: | vulnerability |
Reference(s): | CVE-2003-0442 | Version: | 2 |
Platform(s): | Red Hat Linux 9 | Product(s): | php |
Definition Synopsis: | |||
CPE : Common Platform Enumeration
OpenVAS Exploits
Date | Description |
---|---|
2008-01-17 | Name : Debian Security Advisory DSA 351-1 (php4) File : nvt/deb_351_1.nasl |
Open Source Vulnerability Database (OSVDB)
Id | Description |
---|---|
4758 | PHP session.use_trans_sid PHPSESSID Parameter XSS PHP contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate PHPSESSID variables upon submission to the index.php script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity. |
Nessus® Vulnerability Scanner
Date | Description |
---|---|
2004-09-29 | Name : The remote Debian host is missing a security-related update. File : debian_DSA-351.nasl - Type : ACT_GATHER_INFO |
2004-07-31 | Name : The remote Mandrake Linux host is missing one or more security updates. File : mandrake_MDKSA-2003-082.nasl - Type : ACT_GATHER_INFO |
2003-09-24 | Name : Arbitrary code may be run on the remote server. File : php4_multiple_flaws.nasl - Type : ACT_GATHER_INFO |
Alert History
Date | Informations |
---|---|
2014-02-17 11:32:47 |
|