Vulnerabilities > CVE-2006-4433 - Unspecified vulnerability in PHP

047910
CVSS 0.0 - NONE
Attack vector
UNKNOWN
Attack complexity
UNKNOWN
Privileges required
UNKNOWN
Confidentiality impact
UNKNOWN
Integrity impact
UNKNOWN
Availability impact
UNKNOWN
php
nessus
NVD
Published: 2006-08-29
Updated: 2024-11-21

Summary

PHP before 4.4.3 and 5.x before 5.1.4 does not limit the character set of the session identifier (PHPSESSID) for third party session handlers, which might make it easier for remote attackers to exploit other vulnerabilities by inserting PHP code into the PHPSESSID, which is stored in the session file. NOTE: it could be argued that this not a vulnerability in PHP itself, rather a design limitation that enables certain attacks against session handlers that do not account for this limitation.

Vulnerable Configurations

Part Description Count
Application
Php
65

Nessus

NASL familyCGI abuses
NASL idPHP_4_4_3.NASL
descriptionAccording to its banner, the version of PHP installed on the remote host is older than 4.4.3 / 5.1.4. Such versions may be affected by several issues, including a buffer overflow, heap corruption, and a flaw by which a variable may survive a call to
last seen2020-06-01
modified2020-06-02
plugin id22268
published2006-08-25
reporterThis script is Copyright (C) 2006-2018 Tenable Network Security, Inc.
sourcehttps://www.tenable.com/plugins/nessus/22268
titlePHP < 4.4.3 / 5.1.4 Multiple Vulnerabilities

Statements

contributorTomas Hoger
lastmodified2008-10-30
organizationRed Hat
statementWe do not consider this to be a PHP flaw. The problem is caused by the insufficient input validation performed by Zend platform.

References