CVE-2007-1522 - OpenCVE

Double free vulnerability in the session extension in PHP 5.2.0 and 5.2.1 allows context-dependent attackers to execute arbitrary code via illegal characters in a session identifier, which is rejected by an internal session storage module, which calls the session identifier generator with an improper environment, leading to code execution when the generator is interrupted, as demonstrated by triggering a memory limit violation or certain PHP errors.

No CVSS v3.1

No CVSS v3.0

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

AV:N/AC:M/Au:N/C:P/I:P/A:P

Vendors & Products
CPE Configurations

Vendors	Products
Php	Php

Configuration 1 [-]

OR	cpe:2.3:a:php:php:5.2.0:::::::*
	cpe:2.3:a:php:php:5.2.1:::::::*

References

Link	Resource
http://secunia.com/advisories/24505
http://secunia.com/advisories/25056
http://www.novell.com/linux/security/advisories/2007_32_php.html
http://www.php-security.org/MOPB/MOPB-23-2007.html	Exploit Vendor Advisory
http://www.securityfocus.com/bid/22971
http://www.vupen.com/english/advisories/2007/0960

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: mitre

Published: 2007-03-20T20:00:00

Updated: 2007-03-31T09:00:00

Reserved: 2007-03-20T00:00:00

Link: CVE-2007-1522

JSON object: View

NVD Information

Status : Modified

Published: 2007-03-20T20:19:00.000

Modified: 2011-03-08T02:52:17.017

Link: CVE-2007-1522

JSON object: View

Redhat Information

No data.

CWE

NVD-CWE-Other

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2007-03-15T00:00:00", "descriptions": [{"lang": "en", "value": "Double free vulnerability in the session extension in PHP 5.2.0 and 5.2.1 allows context-dependent attackers to execute arbitrary code via illegal characters in a session identifier, which is rejected by an internal session storage module, which calls the session identifier generator with an improper environment, leading to code execution when the generator is interrupted, as demonstrated by triggering a memory limit violation or certain PHP errors."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2007-03-31T09:00:00", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"name": "ADV-2007-0960", "tags": ["vdb-entry", "x_refsource_VUPEN"], "url": "http://www.vupen.com/english/advisories/2007/0960"}, {"name": "25056", "tags": ["third-party-advisory", "x_refsource_SECUNIA"], "url": "http://secunia.com/advisories/25056"}, {"name": "24505", "tags": ["third-party-advisory", "x_refsource_SECUNIA"], "url": "http://secunia.com/advisories/24505"}, {"tags": ["x_refsource_MISC"], "url": "http://www.php-security.org/MOPB/MOPB-23-2007.html"}, {"name": "22971", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/22971"}, {"name": "SUSE-SA:2007:032", "tags": ["vendor-advisory", "x_refsource_SUSE"], "url": "http://www.novell.com/linux/security/advisories/2007_32_php.html"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2007-1522", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Double free vulnerability in the session extension in PHP 5.2.0 and 5.2.1 allows context-dependent attackers to execute arbitrary code via illegal characters in a session identifier, which is rejected by an internal session storage module, which calls the session identifier generator with an improper environment, leading to code execution when the generator is interrupted, as demonstrated by triggering a memory limit violation or certain PHP errors."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "ADV-2007-0960", "refsource": "VUPEN", "url": "http://www.vupen.com/english/advisories/2007/0960"}, {"name": "25056", "refsource": "SECUNIA", "url": "http://secunia.com/advisories/25056"}, {"name": "24505", "refsource": "SECUNIA", "url": "http://secunia.com/advisories/24505"}, {"name": "http://www.php-security.org/MOPB/MOPB-23-2007.html", "refsource": "MISC", "url": "http://www.php-security.org/MOPB/MOPB-23-2007.html"}, {"name": "22971", "refsource": "BID", "url": "http://www.securityfocus.com/bid/22971"}, {"name": "SUSE-SA:2007:032", "refsource": "SUSE", "url": "http://www.novell.com/linux/security/advisories/2007_32_php.html"}]}}}}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2007-1522", "datePublished": "2007-03-20T20:00:00", "dateReserved": "2007-03-20T00:00:00", "dateUpdated": "2007-03-31T09:00:00", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:php:php:5.2.0:*:*:*:*:*:*:*", "matchCriteriaId": "CD02D837-FD28-4E0F-93F8-25E8D1C84A99", "vulnerable": true}, {"criteria": "cpe:2.3:a:php:php:5.2.1:*:*:*:*:*:*:*", "matchCriteriaId": "88358D1E-BE6F-4CE3-A522-83D1FA4739E3", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Double free vulnerability in the session extension in PHP 5.2.0 and 5.2.1 allows context-dependent attackers to execute arbitrary code via illegal characters in a session identifier, which is rejected by an internal session storage module, which calls the session identifier generator with an improper environment, leading to code execution when the generator is interrupted, as demonstrated by triggering a memory limit violation or certain PHP errors."}, {"lang": "es", "value": "Vulnerabilidad de liberaci\u00f3n doble en la extensi\u00f3n session de PHP 5.2.0 and 5.2.1 permite a atacantes dependientes del contexto ejecutar c\u00f3digo de su elecci\u00f3n mediante caracteres ilegales en el identificador de sesi\u00f3n, lo cual es rechazado por el m\u00f3dulo de almacenamiento de sesi\u00f3n interno, lo cual llama al generador de identificador de sesi\u00f3n en un contexto inapropiado, dando la posibilidad de la inyecci\u00f3n de c\u00f3digo cuando el generador es interrumpido, como ha sido demostrado lanzando una violaci\u00f3n de l\u00edmite de memoria o ciertos errores de PHP."}], "id": "CVE-2007-1522", "lastModified": "2011-03-08T02:52:17.017", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 6.8, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": true, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}]}, "published": "2007-03-20T20:19:00.000", "references": [{"source": "cve@mitre.org", "url": "http://secunia.com/advisories/24505"}, {"source": "cve@mitre.org", "url": "http://secunia.com/advisories/25056"}, {"source": "cve@mitre.org", "url": "http://www.novell.com/linux/security/advisories/2007_32_php.html"}, {"source": "cve@mitre.org", "tags": ["Exploit", "Vendor Advisory"], "url": "http://www.php-security.org/MOPB/MOPB-23-2007.html"}, {"source": "cve@mitre.org", "url": "http://www.securityfocus.com/bid/22971"}, {"source": "cve@mitre.org", "url": "http://www.vupen.com/english/advisories/2007/0960"}], "sourceIdentifier": "cve@mitre.org", "vendorComments": [{"comment": "The PHP interpreter does not offer a reliable "sandboxed" security\nlayer (as found in, say, a JVM) in which untrusted scripts can be run;\nany script run by the PHP interpreter must be trusted with the\nprivileges of the interpreter itself. We therefore do not classify\nthis issue as security-sensitive since no trust boundary is crossed.\n", "lastModified": "2007-04-16T00:00:00", "organization": "Red Hat"}], "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-Other"}], "source": "nvd@nist.gov", "type": "Primary"}]}