Stefan Esser discovered that PHP did not properly handle PS_UNDEF_MARKER ('!') character in session variable names. In cases where PHP script generated session variable names from untrusted user input, a malicious user could use this flaw to inject arbitrary variable into session. This could create additional attack vector for exploiting other possible unserialization flaws. Reference: http://php-security.org/2010/05/31/mops-2010-060-php-session-serializer-session-data-injection-vulnerability/index.html Upstream fix, added in 5.3.3 and 5.2.14: http://svn.php.net/viewvc?view=revision&revision=298608
Common Vulnerabilities and Exposures assigned an identifier CVE-2010-3065 to the following vulnerability: Name: CVE-2010-3065 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3065 Assigned: 20100820 Reference: MISC: http://php-security.org/2010/05/31/mops-2010-060-php-session-serializer-session-data-injection-vulnerability/index.html Reference: DEBIAN:DSA-2089 Reference: URL: http://www.debian.org/security/2010/dsa-2089 The default session serializer in PHP 5.2 through 5.2.13 and 5.3 through 5.3.2 does not properly handle the PS_UNDEF_MARKER marker, which allows context-dependent attackers to modify arbitrary session variables via a crafted session variable name.
Are there any plans to fix this in Red Hat Enterprise 5? If so, is there a time frame as to when a patch will be available?
It's planned to be addressed in the upcoming errata, work on which is already in progress.
This issue has been addressed in following products: Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 Via RHSA-2010:0919 https://rhn.redhat.com/errata/RHSA-2010-0919.html
Statement: This issue is not planned to be fixed in Red Hat Enterprise Linux 3 due to this product being in Production 3 of its maintenance life-cycle, where only qualified security errata of important and critical impact are addressed. For further information about the Errata Support Policy, visit: http://www.redhat.com/security/updates/errata