Lumension® Endpoint Intelligence Center

Intelligence Center » Browse All Vulnerabilities » CVE-2006-3016

Overview

Vulnerability Score 9.3 9.3
CVE Id CVE-2006-3016
Last Modified 15 Sep 2010 12:00:00
Published 14 Jun 2006 07:02:00
Confidentiality Impact COMPLETE COMPLETE
Integrity Impact COMPLETE COMPLETE
Availability Impact COMPLETE COMPLETE
Access Vector NETWORK
Access Complexity MEDIUM
Authentication NONE

CVE-2006-3016

Summary

Unspecified vulnerability in session.c in PHP before 5.1.3 has unknown impact and attack vectors, related to "certain characters in session names," including special characters that are frequently associated with CRLF injection, SQL injection, cross-site scripting (XSS), and HTTP response splitting vulnerabilities. NOTE: while the nature of the vulnerability is unspecified, it is likely that this is related to a violation of an expectation by PHP applications that the session name is alphanumeric, as implied in the PHP manual for session_name().

Vulnerable Systems

Application

  • Php Group Php 5.1.2


References

BID - 17843

SECUNIA - 21050

SECUNIA - 19927

CONFIRM - https://issues.rpath.com/browse/RPL-683

UBUNTU - USN-320-1

TURBO - TLSA-2006-38

BUGTRAQ - 20061005 rPSA-2006-0182-1 php php-mysql php-pgsql

REDHAT - RHSA-2006:0682

REDHAT - RHSA-2006:0669

CONFIRM - http://www.php.net/release_5_1_3.php

OSVDB - 25253

MANDRIVA - MDKSA-2006:122

CONFIRM - http://support.avaya.com/elmodocs2/security/ASA-2006-222.htm

CONFIRM - http://support.avaya.com/elmodocs2/security/ASA-2006-221.htm

SECTRACK - 1016306

SECUNIA - 23247

SECUNIA - 22487

SECUNIA - 22440

SECUNIA - 22225

SECUNIA - 22069

SECUNIA - 22004

REDHAT - RHSA-2006:0736

SGI - 20061001-01-P


Last Updated: 27 May 2016 10:42:51