cancel
Showing results for 
Search instead for 
Did you mean: 

Security Warning: PHP Version 4.3.1 and Earlier

N/A

Security Warning: PHP Version 4.3.1 and Earlier

Another security warning from Red Hat (Linux):

Summary:
Updated PHP packages for Red Hat Linux 8.0 and 9 are available that fix a number of bugs, as well as a minor security problem in the transparent session ID functionality.

Description:
PHP is an HTML-embedded scripting language commonly used with the Apache HTTP server.

This update contains fixes for a number of bugs discovered in the version of PHP included in Red Hat Linux 8.0 and 9. These bugs include the use of a PHP script as an ErrorDocument and possible POST body corruption in some configurations.

Also included is a fix for a minor security problem. In PHP version 4.3.1 and earlier, when transparent session ID support is enabled using the "session.use_trans_sid" option, the session ID is not escaped before use. This allows a Cross Site Scripting attack. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2003-0442 to this issue.

All users of PHP are advised to upgrade to these erratum packages, which contain back-ported patches to correct these issues.

References:
http://shh.thathost.com/secadv/2003-05-11-php.txt

Since this is a vulnerability in PHP, users of PHP on Windows are advised to look out for a fix as well.