Bug 619030 (CVE-2010-3065, MOPS-2010-060)
| Summary: | CVE-2010-3065 php: session serializer session data injection vulnerability (MOPS-2010-060) | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Tomas Hoger <thoger> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED ERRATA | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | unspecified | CC: | fedora, jlieskov, jorton, rich, rpm, vdanen |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2012-06-20 16:57:12 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 624469, 626733, 626734, 626735, 626736, 626740 | ||
| Bug Blocks: | |||
Common Vulnerabilities and Exposures assigned an identifier CVE-2010-3065 to the following vulnerability: Name: CVE-2010-3065 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3065 Assigned: 20100820 Reference: MISC: http://php-security.org/2010/05/31/mops-2010-060-php-session-serializer-session-data-injection-vulnerability/index.html Reference: DEBIAN:DSA-2089 Reference: URL: http://www.debian.org/security/2010/dsa-2089 The default session serializer in PHP 5.2 through 5.2.13 and 5.3 through 5.3.2 does not properly handle the PS_UNDEF_MARKER marker, which allows context-dependent attackers to modify arbitrary session variables via a crafted session variable name. Are there any plans to fix this in Red Hat Enterprise 5? If so, is there a time frame as to when a patch will be available? It's planned to be addressed in the upcoming errata, work on which is already in progress. This issue has been addressed in following products: Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 Via RHSA-2010:0919 https://rhn.redhat.com/errata/RHSA-2010-0919.html Statement: This issue is not planned to be fixed in Red Hat Enterprise Linux 3 due to this product being in Production 3 of its maintenance life-cycle, where only qualified security errata of important and critical impact are addressed. For further information about the Errata Support Policy, visit: http://www.redhat.com/security/updates/errata |
Stefan Esser discovered that PHP did not properly handle PS_UNDEF_MARKER ('!') character in session variable names. In cases where PHP script generated session variable names from untrusted user input, a malicious user could use this flaw to inject arbitrary variable into session. This could create additional attack vector for exploiting other possible unserialization flaws. Reference: http://php-security.org/2010/05/31/mops-2010-060-php-session-serializer-session-data-injection-vulnerability/index.html Upstream fix, added in 5.3.3 and 5.2.14: http://svn.php.net/viewvc?view=revision&revision=298608