Bug 619030 - (CVE-2010-3065, MOPS-2010-060) CVE-2010-3065 php: session serializer session data injection vulnerability (MOPS-2010-060)
CVE-2010-3065 php: session serializer session data injection vulnerability (M...
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
: Security
Depends On: 624469 626733 626734 626735 626736 626740
  Show dependency treegraph
Reported: 2010-07-28 08:06 EDT by Tomas Hoger
Modified: 2015-10-15 17:14 EDT (History)
6 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2012-06-20 12:57:12 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Tomas Hoger 2010-07-28 08:06:49 EDT
Stefan Esser discovered that PHP did not properly handle PS_UNDEF_MARKER ('!') character in session variable names.  In cases where PHP script generated session variable names from untrusted user input, a malicious user could use this flaw to inject arbitrary variable into session.  This could create additional attack vector for exploiting other possible unserialization flaws.


Upstream fix, added in 5.3.3 and 5.2.14:
Comment 2 Vincent Danen 2010-08-20 17:01:01 EDT
Common Vulnerabilities and Exposures assigned an identifier CVE-2010-3065 to
the following vulnerability:

Name: CVE-2010-3065
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3065
Assigned: 20100820
Reference: MISC: http://php-security.org/2010/05/31/mops-2010-060-php-session-serializer-session-data-injection-vulnerability/index.html
Reference: DEBIAN:DSA-2089
Reference: URL: http://www.debian.org/security/2010/dsa-2089

The default session serializer in PHP 5.2 through 5.2.13 and 5.3
through 5.3.2 does not properly handle the PS_UNDEF_MARKER marker,
which allows context-dependent attackers to modify arbitrary session
variables via a crafted session variable name.
Comment 6 rich 2010-11-11 16:33:41 EST
Are there any plans to fix this in Red Hat Enterprise 5?  If so, is there a time frame as to when a patch will be available?
Comment 7 Tomas Hoger 2010-11-12 02:30:19 EST
It's planned to be addressed in the upcoming errata, work on which is already in progress.
Comment 8 errata-xmlrpc 2010-11-29 16:34:10 EST
This issue has been addressed in following products:

  Red Hat Enterprise Linux 4
  Red Hat Enterprise Linux 5

Via RHSA-2010:0919 https://rhn.redhat.com/errata/RHSA-2010-0919.html
Comment 9 Vincent Danen 2010-11-29 17:37:39 EST

This issue is not planned to be fixed in Red Hat Enterprise Linux 3 due to this product being in Production 3 of its maintenance life-cycle, where only qualified security errata of important and critical impact are addressed.

For further information about the Errata Support Policy, visit:

Note You need to log in before you can comment on or make changes to this bug.