Vulnerabilities > CVE-2003-0442 - Cross-Site Scripting vulnerability in PHP Transparent Session ID

047910
CVSS 4.3 - MEDIUM
Attack vector
NETWORK
Attack complexity
MEDIUM
Privileges required
NONE
Confidentiality impact
NONE
Integrity impact
PARTIAL
Availability impact
NONE
network
php
redhat
nessus
exploit available

Summary

Cross-site scripting (XSS) vulnerability in the transparent SID support capability for PHP before 4.3.2 (session.use_trans_sid) allows remote attackers to insert arbitrary script via the PHPSESSID parameter.

Exploit-Db

descriptionPHP 4.x Transparent Session ID Cross Site Scripting Vulnerability. CVE-2003-0442. Remote exploit for php platform
idEDB-ID:22696
last seen2016-02-02
modified2003-05-30
published2003-05-30
reporterSverre H. Huseby
sourcehttps://www.exploit-db.com/download/22696/
titlePHP 4.x Transparent Session ID Cross-Site Scripting Vulnerability

Nessus

  • NASL familyMandriva Local Security Checks
    NASL idMANDRAKE_MDKSA-2003-082.NASL
    descriptionA vulnerability was discovered in the transparent session ID support in PHP4 prior to version 4.3.2. It did not properly escape user- supplied input prior to inserting it in the generated web page. This could be exploited by an attacker to execute embedded scripts within the context of the generated HTML (CVE-2003-0442). As well, two vulnerabilities had not been patched in the PHP packages included with Mandrake Linux 8.2: The mail() function did not filter ASCII control filters from its arguments, which could allow an attacker to modify the mail message content (CVE-2002-0986). Another vulnerability in the mail() function would allow a remote attacker to bypass safe mode restrictions and modify the command line arguments passed to the MTA in the fifth argument (CVE-2002-0985). All users are encouraged to upgrade to these patched packages. Update : The packages for Mandrake Linux 8.2 and Multi-Network Firewall 8.2, due to improper BuildRequires did not include mail() support. This update corrects that problem.
    last seen2020-06-01
    modified2020-06-02
    plugin id14064
    published2004-07-31
    reporterThis script is Copyright (C) 2004-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/14064
    titleMandrake Linux Security Advisory : php (MDKSA-2003:082-1)
    code
    #%NASL_MIN_LEVEL 80502
    
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Mandrake Linux Security Advisory MDKSA-2003:082. 
    # The text itself is copyright (C) Mandriva S.A.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(14064);
      script_version ("1.25");
      script_cvs_date("Date: 2019/08/02 13:32:46");
    
      script_cve_id("CVE-2002-0985", "CVE-2002-0986", "CVE-2003-0442");
      script_xref(name:"MDKSA", value:"2003:082");
      script_xref(name:"MDKSA", value:"2003:082-1");
    
      script_name(english:"Mandrake Linux Security Advisory : php (MDKSA-2003:082-1)");
      script_summary(english:"Checks rpm output for the updated packages");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:
    "The remote Mandrake Linux host is missing one or more security
    updates."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "A vulnerability was discovered in the transparent session ID support
    in PHP4 prior to version 4.3.2. It did not properly escape user-
    supplied input prior to inserting it in the generated web page. This
    could be exploited by an attacker to execute embedded scripts within
    the context of the generated HTML (CVE-2003-0442).
    
    As well, two vulnerabilities had not been patched in the PHP packages
    included with Mandrake Linux 8.2: The mail() function did not filter
    ASCII control filters from its arguments, which could allow an
    attacker to modify the mail message content (CVE-2002-0986). Another
    vulnerability in the mail() function would allow a remote attacker to
    bypass safe mode restrictions and modify the command line arguments
    passed to the MTA in the fifth argument (CVE-2002-0985).
    
    All users are encouraged to upgrade to these patched packages.
    
    Update :
    
    The packages for Mandrake Linux 8.2 and Multi-Network Firewall 8.2,
    due to improper BuildRequires did not include mail() support. This
    update corrects that problem."
      );
      script_set_attribute(attribute:"solution", value:"Update the affected packages.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:libphp_common430");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:php");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:php-cgi");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:php-cli");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:php-common");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:php-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:php-pear");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:php430-devel");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:mandrakesoft:mandrake_linux:8.2");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:mandrakesoft:mandrake_linux:9.0");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:mandrakesoft:mandrake_linux:9.1");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2003/08/04");
      script_set_attribute(attribute:"plugin_publication_date", value:"2004/07/31");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2004-2019 Tenable Network Security, Inc.");
      script_family(english:"Mandriva Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/Mandrake/release", "Host/Mandrake/rpm-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    if (!get_kb_item("Host/Mandrake/release")) audit(AUDIT_OS_NOT, "Mandriva / Mandake Linux");
    if (!get_kb_item("Host/Mandrake/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if (cpu !~ "^(amd64|i[3-6]86|x86_64)$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Mandriva / Mandrake Linux", cpu);
    
    
    flag = 0;
    if (rpm_check(release:"MDK8.2", cpu:"i386", reference:"php-4.1.2-1.2mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK8.2", cpu:"i386", reference:"php-common-4.1.2-1.2mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK8.2", cpu:"i386", reference:"php-devel-4.1.2-1.2mdk", yank:"mdk")) flag++;
    
    if (rpm_check(release:"MDK9.0", cpu:"i386", reference:"php-4.2.3-4.1mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK9.0", cpu:"i386", reference:"php-common-4.2.3-4.1mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK9.0", cpu:"i386", reference:"php-devel-4.2.3-4.1mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK9.0", cpu:"i386", reference:"php-pear-4.2.3-4.1mdk", yank:"mdk")) flag++;
    
    if (rpm_check(release:"MDK9.1", cpu:"i386", reference:"libphp_common430-430-11.1mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK9.1", cpu:"i386", reference:"php-cgi-4.3.1-11.1mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK9.1", cpu:"i386", reference:"php-cli-4.3.1-11.1mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK9.1", cpu:"i386", reference:"php430-devel-430-11.1mdk", yank:"mdk")) flag++;
    
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());
      else security_hole(0);
      exit(0);
    }
    else audit(AUDIT_HOST_NOT, "affected");
    
  • NASL familyCGI abuses
    NASL idPHP4_MULTIPLE_FLAWS.NASL
    descriptionThe remote host is running a version of PHP that is older than 4.3.3. All versions of PHP 4 older than 4.3.3 contain multiple integer overflow vulnerabilities that may allow an attacker to execute arbitrary commands on this host. Another problem may also invalidate safe_mode.
    last seen2020-06-01
    modified2020-06-02
    plugin id11850
    published2003-09-24
    reporterThis script is Copyright (C) 2003-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/11850
    titlePHP < 4.3.3 Multiple Vulnerabilities
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    # Ref:
    # http://www.securityfocus.com/advisories/5887
    # http://www.php.net/ChangeLog-4.php
    #
    
    
    include("compat.inc");
    
    if(description)
    {
      script_id(11850);
      script_version("1.34");
      script_cvs_date("Date: 2018/07/24 18:56:10");
    
      script_cve_id("CVE-2002-1396", "CVE-2003-0442", "CVE-2003-0860", "CVE-2003-0861");
      script_bugtraq_id(
        6488, 
        7761, 
        8693, 
        8696
      );
      script_xref(name:"RHSA", value:"2003:204-01");
      script_xref(name:"SuSE", value:"SUSE-SA:2003:0009");
    
      script_name(english:"PHP < 4.3.3 Multiple Vulnerabilities");
      script_summary(english:"Checks for version of PHP");
    
      script_set_attribute(
        attribute:"synopsis",
        value:"Arbitrary code may be run on the remote server."
      );
      script_set_attribute(
        attribute:"description",
        value:
    "The remote host is running a version of PHP that is older than 4.3.3.
    
    All versions of PHP 4 older than 4.3.3 contain multiple integer
    overflow vulnerabilities that may allow an attacker to execute
    arbitrary commands on this host.  Another problem may also invalidate
    safe_mode."
      );
      script_set_attribute(attribute:"see_also", value:"http://www.php.net/ChangeLog-4.php");
      script_set_attribute(attribute:"solution", value:"Upgrade to PHP 4.3.3.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
      script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"No exploit is required");
      script_set_attribute(attribute:"exploit_available", value:"false");
    
      script_set_attribute(attribute:"plugin_publication_date", value:"2003/09/24");
      script_set_attribute(attribute:"vuln_publication_date", value:"2002/12/27");
     
      script_set_attribute(attribute:"plugin_type", value:"remote");
      script_set_attribute(attribute:"cpe",value:"cpe:/a:php:php");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_family(english:"CGI abuses");
    
      script_copyright(english:"This script is Copyright (C) 2003-2018 Tenable Network Security, Inc.");
    
      script_dependencies("php_version.nasl");
      script_require_ports("Services/www", 80);
      script_require_keys("www/PHP");
     
      exit(0);
    }
    
    #
    # The script code starts here
    #
    include("global_settings.inc");
    include("misc_func.inc");
    include("http.inc");
    include("audit.inc");
    include("webapp_func.inc");
    
    port = get_http_port(default:80, php:TRUE);
    
    php = get_php_from_kb(
      port : port,
      exit_on_fail : TRUE
    );
    
    version = php["ver"];
    source = php["src"];
    
    backported = get_kb_item('www/php/'+port+'/'+version+'/backported');
    
    if (report_paranoia < 2 && backported)
      audit(AUDIT_BACKPORT_SERVICE, port, "PHP "+version+" install");
    
    if (version =~ "^4\.[0-2]\." ||
        version =~ "^4\.3\.[0-2]($|[^0-9])"
    )
    {
      if (report_verbosity > 0)
      {
        report =
          '\n  Version source     : '+source +
          '\n  Installed version  : '+version+
          '\n  Fixed version      : 4.3.3\n';
        security_hole(port:port, extra:report);
      }
      else security_hole(port);
      exit(0);
    }
    else audit(AUDIT_LISTEN_NOT_VULN, "PHP", port, version);
    
  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DSA-351.NASL
    descriptionThe transparent session ID feature in the php4 package does not properly escape user-supplied input before inserting it into the generated HTML page. An attacker could use this vulnerability to execute embedded scripts within the context of the generated page.
    last seen2020-06-01
    modified2020-06-02
    plugin id15188
    published2004-09-29
    reporterThis script is Copyright (C) 2004-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/15188
    titleDebian DSA-351-1 : php4 - XSS
    code
    #%NASL_MIN_LEVEL 80502
    
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Debian Security Advisory DSA-351. The text 
    # itself is copyright (C) Software in the Public Interest, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(15188);
      script_version("1.22");
      script_cvs_date("Date: 2019/08/02 13:32:17");
    
      script_cve_id("CVE-2003-0442");
      script_bugtraq_id(7761);
      script_xref(name:"DSA", value:"351");
    
      script_name(english:"Debian DSA-351-1 : php4 - XSS");
      script_summary(english:"Checks dpkg output for the updated package");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Debian host is missing a security-related update."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "The transparent session ID feature in the php4 package does not
    properly escape user-supplied input before inserting it into the
    generated HTML page. An attacker could use this vulnerability to
    execute embedded scripts within the context of the generated page."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugs.debian.org/200736"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.debian.org/security/2003/dsa-351"
      );
      script_set_attribute(
        attribute:"solution", 
        value:
    "For the stable distribution (woody) this problem has been fixed in
    version 4:4.1.2-6woody3.
    
    We recommend that you update your php4 package."
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N");
      script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"No exploit is required");
      script_set_attribute(attribute:"exploit_available", value:"true");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:php4");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:3.0");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2003/07/16");
      script_set_attribute(attribute:"plugin_publication_date", value:"2004/09/29");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2004-2019 Tenable Network Security, Inc.");
      script_family(english:"Debian Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("debian_package.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian");
    if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    
    flag = 0;
    if (deb_check(release:"3.0", prefix:"caudium-php4", reference:"4:4.1.2-6woody3")) flag++;
    if (deb_check(release:"3.0", prefix:"php4", reference:"4:4.1.2-6woody3")) flag++;
    if (deb_check(release:"3.0", prefix:"php4-cgi", reference:"4:4.1.2-6woody3")) flag++;
    if (deb_check(release:"3.0", prefix:"php4-curl", reference:"4:4.1.2-6woody3")) flag++;
    if (deb_check(release:"3.0", prefix:"php4-dev", reference:"4:4.1.2-6woody3")) flag++;
    if (deb_check(release:"3.0", prefix:"php4-domxml", reference:"4:4.1.2-6woody3")) flag++;
    if (deb_check(release:"3.0", prefix:"php4-gd", reference:"4:4.1.2-6woody3")) flag++;
    if (deb_check(release:"3.0", prefix:"php4-imap", reference:"4:4.1.2-6woody3")) flag++;
    if (deb_check(release:"3.0", prefix:"php4-ldap", reference:"4:4.1.2-6woody3")) flag++;
    if (deb_check(release:"3.0", prefix:"php4-mcal", reference:"4:4.1.2-6woody3")) flag++;
    if (deb_check(release:"3.0", prefix:"php4-mhash", reference:"4:4.1.2-6woody3")) flag++;
    if (deb_check(release:"3.0", prefix:"php4-mysql", reference:"4:4.1.2-6woody3")) flag++;
    if (deb_check(release:"3.0", prefix:"php4-odbc", reference:"4:4.1.2-6woody3")) flag++;
    if (deb_check(release:"3.0", prefix:"php4-pear", reference:"4:4.1.2-6woody3")) flag++;
    if (deb_check(release:"3.0", prefix:"php4-recode", reference:"4:4.1.2-6woody3")) flag++;
    if (deb_check(release:"3.0", prefix:"php4-snmp", reference:"4:4.1.2-6woody3")) flag++;
    if (deb_check(release:"3.0", prefix:"php4-sybase", reference:"4:4.1.2-6woody3")) flag++;
    if (deb_check(release:"3.0", prefix:"php4-xslt", reference:"4:4.1.2-6woody3")) flag++;
    
    if (flag)
    {
      if (report_verbosity > 0) security_warning(port:0, extra:deb_report_get());
      else security_warning(0);
      exit(0);
    }
    else audit(AUDIT_HOST_NOT, "affected");
    

Oval

accepted2007-04-25T19:52:33.229-04:00
classvulnerability
contributors
  • nameJay Beale
    organizationBastille Linux
  • nameJay Beale
    organizationBastille Linux
  • nameThomas R. Jones
    organizationMaitreya Security
descriptionCross-site scripting (XSS) vulnerability in the transparent SID support capability for PHP before 4.3.2 (session.use_trans_sid) allows remote attackers to insert arbitrary script via the PHPSESSID parameter.
familyunix
idoval:org.mitre.oval:def:485
statusaccepted
submitted2003-08-29T12:00:00.000-04:00
titlePH Cross-site Scripting Vulnerability
version38

Redhat

advisories
rhsa
idRHSA-2003:204