Vulnerabilities > CVE-2005-4731 - Remote Security vulnerability in the PHP Group Pear Html Quickform Controller 1.0.4

CVSS 5.0 - MEDIUM

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

NONE

Confidentiality impact

PARTIAL

Integrity impact

NONE

Availability impact

NONE

network

low complexity

the-php-group

NVD

Published: 2005-12-31

Updated: 2008-09-05

Summary

The Next action in PEAR HTML_QuickForm_Controller 1.0.4 includes the SID in the URL even when session.use_only_cookies is configured, which allows remote attackers to obtain the SID via an HTTP Referer field and possibly other vectors. Upgrade to version 1.0.5 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

Vulnerable Configurations

Part	Description	Count
Application	The_Php_Group THE PHP Group Pear Html Quickform Controller 1.0.4	1

References

http://pear.php.net/bugs/bug.php?id=3443
http://pear.php.net/package/HTML_QuickForm_Controller/download
http://www.osvdb.org/23766