PHP session ID cross-site scripting

php-session-id-xss (12259) The risk level is classified as MediumMedium Risk

Description:

PHP is vulnerable to cross-site scripting. A remote attacker could create a malicious URL link to the index.php script containing malicious script embedded in the ?PHPSESSID variable, which would be executed in the victim's Web browser within the security context of the hosting site, once the link is clicked. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials.


Consequences:

Gain Access

Remedy:

Upgrade to the latest version of PHP (4.3.2 or later), available from the PHP Web site. See References.

For Red Hat Linux:
Upgrade to the latest php package, as listed below. Refer to RHSA-2003:204-11 for more information. See References.

Red Hat 8.0: 4.2.2-8.0.8 or later
Red Hat 9: 4.2.2-17.2 or later

For OpenPKG:
Upgrade to the latest php package, as listed below. Refer to OpenPKG Security Advisory OpenPKG-SA-2003.032-php for more information. See References.

OpenPKG CURRENT: 4.3.2-20030529 or later
OpenPKG 1.1: 4.2.2-1.1.2 or later

For Conectiva Linux:
Upgrade to the latest php4 package, as listed below. Refer to Conectiva Linux Security Announcement CLSA-2003:691 for more information. See References.

Conectiva Linux 7.0: 4-4.3.2-1U70_1cl or later
Conectiva Linux 8: 4-4.3.2-1U80_1cl or later
Conectiva Linux 9: 4.3.2-26997U90_1cl or later

For Debian GNU/Linux 3.0 (woody):
Upgrade to the latest php4 package (4:4.1.2-6woody3 or later), as listed in DSA-351-1. See References.

For Turbolinux:
Upgrade to the latest php package (4.2.3-10 or later), as listed in Turbolinux Security Advisory TLSA-2003-47-3. See References.

For other distributions:
Contact your vendor for upgrade or patch information.

References:

Platforms Affected:

  • Conectiva Linux 7.0
  • Conectiva Linux 8.0
  • Conectiva Linux 9.0
  • Debian Debian Linux 3.0
  • MandrakeSoft Mandrake Linux 8.2
  • MandrakeSoft Mandrake Linux 8.2 PPC
  • MandrakeSoft Mandrake Linux 9.0
  • MandrakeSoft Mandrake Linux 9.1
  • MandrakeSoft Mandrake Linux 9.1 PPC
  • MandrakeSoft Mandrake Linux Corporate Server 2.1
  • MandrakeSoft Mandrake Linux Corporate Server 2.1 X86_64
  • MandrakeSoft Mandrake Multi Network Firewall 8.2
  • OpenPKG OpenPKG 1.1
  • OpenPKG OpenPKG 1.2
  • OpenPKG OpenPKG CURRENT
  • PHP PHP 4.0 RC2
  • PHP PHP 4.0
  • PHP PHP 4.0 Beta 4 Patch1
  • PHP PHP 4.0 Beta1
  • PHP PHP 4.0 Beta2
  • PHP PHP 4.0 Beta3
  • PHP PHP 4.0 RC1
  • PHP PHP 4.0 Beta4
  • PHP PHP 4.0.1
  • PHP PHP 4.0.2
  • PHP PHP 4.0.3
  • PHP PHP 4.0.4
  • PHP PHP 4.0.5
  • PHP PHP 4.0.6
  • PHP PHP 4.0.7
  • PHP PHP 4.1.0
  • PHP PHP 4.1.1
  • PHP PHP 4.1.2
  • PHP PHP 4.1.3
  • PHP PHP 4.2.0
  • PHP PHP 4.2.1
  • PHP PHP 4.2.2
  • PHP PHP 4.2.3
  • PHP PHP 4.2.4
  • PHP PHP 4.3.0
  • PHP PHP 4.3.1
  • RedHat Linux 7
  • RedHat Linux 7.1
  • RedHat Linux 7.2
  • RedHat Linux 7.3
  • RedHat Linux 8.0
  • RedHat Linux 9.0
  • Turbolinux Turbolinux 7 Server
  • Turbolinux Turbolinux 7 Workstation
  • Turbolinux Turbolinux 8 Server
  • Turbolinux Turbolinux 8 Workstation

Reported:

May 11, 2003

The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

For corrections or additions please email xforce@iss.net

Return to the main page