PHP session ID cross-site scripting

php-session-id-xss (12259)

Medium Risk

Description:

PHP is vulnerable to cross-site scripting. A remote attacker could create a malicious URL link to the index.php script containing malicious script embedded in the ?PHPSESSID variable, which would be executed in the victim's Web browser within the security context of the hosting site, once the link is clicked. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials.

Platforms Affected:

• Conectiva, Linux 7.0
• Conectiva, Linux 8.0
• Conectiva, Linux 9.0
• Debian, Debian Linux 3.0
• MandrakeSoft, Mandrake Linux 8.2 PPC
• MandrakeSoft, Mandrake Linux 8.2
• MandrakeSoft, Mandrake Linux 9.0
• MandrakeSoft, Mandrake Linux 9.1 PPC
• MandrakeSoft, Mandrake Linux 9.1
• MandrakeSoft, Mandrake Linux Corporate Server 2.1 X86_64
• MandrakeSoft, Mandrake Linux Corporate Server 2.1
• MandrakeSoft, Mandrake Multi Network Firewall 8.2
• OpenPKG, OpenPKG 1.1
• OpenPKG, OpenPKG 1.2
• OpenPKG, OpenPKG CURRENT
• PHP, PHP 4.0 RC1
• PHP, PHP 4.0 RC2
• PHP, PHP 4.0 Beta1
• PHP, PHP 4.0 Beta3
• PHP, PHP 4.0
• PHP, PHP 4.0 Beta4
• PHP, PHP 4.0 Beta2
• PHP, PHP 4.0 Beta 4 Patch1
• PHP, PHP 4.0.1
• PHP, PHP 4.0.2
• PHP, PHP 4.0.3
• PHP, PHP 4.0.4
• PHP, PHP 4.0.5
• PHP, PHP 4.0.6
• PHP, PHP 4.0.7
• PHP, PHP 4.1.0
• PHP, PHP 4.1.1
• PHP, PHP 4.1.2
• PHP, PHP 4.1.3
• PHP, PHP 4.2.0
• PHP, PHP 4.2.1
• PHP, PHP 4.2.2
• PHP, PHP 4.2.3
• PHP, PHP 4.2.4
• PHP, PHP 4.3.0
• PHP, PHP 4.3.1
• RedHat, Linux 7
• RedHat, Linux 7.1
• RedHat, Linux 7.2
• RedHat, Linux 7.3
• RedHat, Linux 8.0
• RedHat, Linux 9.0
• Turbolinux, Turbolinux 7 Server
• Turbolinux, Turbolinux 7 Workstation
• Turbolinux, Turbolinux 8 Server
• Turbolinux, Turbolinux 8 Workstation

Remedy:

Upgrade to the latest version of PHP (4.3.2 or later), available from the PHP Web site. See References.

For Red Hat Linux:
Upgrade to the latest php package, as listed below. Refer to RHSA-2003:204-11 for more information. See References.

Red Hat 8.0: 4.2.2-8.0.8 or later
Red Hat 9: 4.2.2-17.2 or later

For OpenPKG:
Upgrade to the latest php package, as listed below. Refer to OpenPKG Security Advisory OpenPKG-SA-2003.032-php for more information. See References.

OpenPKG CURRENT: 4.3.2-20030529 or later
OpenPKG 1.1: 4.2.2-1.1.2 or later

For Conectiva Linux:
Upgrade to the latest php4 package, as listed below. Refer to Conectiva Linux Security Announcement CLSA-2003:691 for more information. See References.

Conectiva Linux 7.0: 4-4.3.2-1U70_1cl or later
Conectiva Linux 8: 4-4.3.2-1U80_1cl or later
Conectiva Linux 9: 4.3.2-26997U90_1cl or later

For Debian GNU/Linux 3.0 (woody):
Upgrade to the latest php4 package (4:4.1.2-6woody3 or later), as listed in DSA-351-1. See References.

For Turbolinux:
Upgrade to the latest php package (4.2.3-10 or later), as listed in Turbolinux Security Advisory TLSA-2003-47-3. See References.

For other distributions:
Contact your vendor for upgrade or patch information.

Consequences:

Gain Access

References:

• BugTraq Mailing List, Fri May 30 2003 - 07:41:53 CDT , PHP Trans SID XSS (Was: New php release with security fixes) at http://archives.neohapsis.com/archives/bugtraq/2003-05/0339.html.
• CIAC Information Bulletin N-112, Red Hat Updated PHP Packages Fix Bugs at http://www.ciac.org/ciac/bulletins/n-112.shtml.
• Conectiva Linux Security Announcement CLSA-2003:691, php4 at http://distro.conectiva.com/atualizacoes/?id=a&anuncio=000691.
• PHP Web site, PHP: Hypertext Preprocessor at http://us2.php.net/.
• Sverre's Security Advisories #5 2003-05-11, Cross-site Scripting in PHP's Transparent Session ID Support at http://shh.thathost.com/secadv/2003-05-11-php.txt.
• BID-7761: PHP Transparent Session ID Cross Site Scripting Vulnerability
• CVE-2003-0442: Cross-site scripting (XSS) vulnerability in the transparent SID support capability for PHP before 4.3.2 (session.use_trans_sid) allows remote attackers to insert arbitrary script via the PHPSESSID parameter.
• DSA-351: php4 -- cross-site scripting
• MDKSA-2003:082: Updated php packages fix vulnerabilities
• MDKSA-2003:082-1: Updated php packages fix vulnerabilities
• OpenPKG-SA-2003.032: PHP
• OSVDB ID: 4758: PHP Session ID XSS
• RHSA-2003-204: Updated PHP packages are now available
• SECTRACK ID: 1008653: PHP Input Validation Flaw in Transparent Session ID Support Permits Cross-Site Scripting Attacks

Reported:

May 11, 2003

The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

For corrections or additions please email xforce@iss.net

Return to the main page