Lucene search

PhpMyAdminPHPMYADMIN:PMASA-2007-1

HistoryJan 16, 2007 - 12:00 a.m.

HTTP Response Splitting vulnerability

2007-01-1600:00:00

www.phpmyadmin.net

CVSS2

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

EPSS

0.009

Percentile

82.7%

JSON

PMASA-2007-1

Announcement-ID: PMASA-2007-1

Date: 2007-01-16

Summary

HTTP Response Splitting vulnerability

Description

On systems running PHP 5 before 5.1.2 or PHP 4 before 4.4.2, it is possible to trigger this vulnerability by editing the cookie containing PHP’s session id. This can be used to send malicious javascript or redirects.

Severity

We consider this vulnerability to be serious.

Affected Versions

Probably all versions to 2.9.1.1.

Solution

Upgrade to phpMyAdmin 2.9.2 or newer.

References

<http://www.securityfocus.com/archive/1/453432>

Assigned CVE ids: CVE-2006-6374

CWE ids: CWE-661 CWE-113

Patches

The following commits have been made to fix this issue:

c9d93f63940fe960d3b6341d8bfb7b707c87e744

More information

For further information and in case of questions, please contact the phpMyAdmin team. Our website is phpmyadmin.net.

CVSS2

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

EPSS

0.009

Percentile

82.7%

JSON

Related for PHPMYADMIN:PMASA-2007-1