Public Date:
250726: CVE-2007-3799 php cross-site cookie insertion

The MITRE CVE dictionary describes this issue as:

The session_start function in ext/session in PHP 4.x up to 4.4.7 and 5.x up to 5.2.3 allows remote attackers to insert arbitrary attributes into the session cookie via special characters in a cookie that is obtained from (1) PATH_INFO, (2) the session_id function, and (3) the session_start function, which are not encoded or filtered when the new session cookie is generated, a related issue to CVE-2006-0207.

Find out more about CVE-2007-3799 from the MITRE CVE dictionary dictionary and NIST NVD.


Red Hat is aware of this issue and is tracking it via the following bug:

The Red Hat Security Response Team has rated this issue as having low security impact, a future update may address this flaw.

Red Hat Security Errata

Platform Errata Release Date
Red Hat Enterprise Linux 4 (php) RHSA-2007:0890 2007-09-20
Red Hat Application Stack v1 for Enterprise Linux AS (v.4) (php) RHSA-2007:0891 2007-10-25
Red Hat Enterprise Linux 3 (php) RHSA-2007:0889 2007-09-26
Red Hat Enterprise Linux 2.1 (php) RHSA-2007:0888 2007-10-23
Red Hat Enterprise Linux 5 (php) RHSA-2007:0890 2007-09-20
Red Hat Application Stack v2 for Enterprise Linux (v.5) (php) RHSA-2007:0917 2007-10-23
Last Modified

CVE description copyright © 2017, The MITRE Corporation