Bug 619030 (CVE-2010-3065, MOPS-2010-060) - CVE-2010-3065 php: session serializer session data injection vulnerability (MOPS-2010-060)
Summary: CVE-2010-3065 php: session serializer session data injection vulnerability (M...
Alias: CVE-2010-3065, MOPS-2010-060
Product: Security Response
Classification: Other
Component: vulnerability   
(Show other bugs)
Version: unspecified
Hardware: All Linux
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
Whiteboard: impact=moderate,source=oss-security,r...
Keywords: Security
Depends On: 624469 626733 626734 626735 626736 626740
TreeView+ depends on / blocked
Reported: 2010-07-28 12:06 UTC by Tomas Hoger
Modified: 2015-10-15 21:14 UTC (History)
6 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2012-06-20 16:57:12 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2010:0919 normal SHIPPED_LIVE Moderate: php security update 2010-11-29 21:33:48 UTC

Description Tomas Hoger 2010-07-28 12:06:49 UTC
Stefan Esser discovered that PHP did not properly handle PS_UNDEF_MARKER ('!') character in session variable names.  In cases where PHP script generated session variable names from untrusted user input, a malicious user could use this flaw to inject arbitrary variable into session.  This could create additional attack vector for exploiting other possible unserialization flaws.


Upstream fix, added in 5.3.3 and 5.2.14:

Comment 2 Vincent Danen 2010-08-20 21:01:01 UTC
Common Vulnerabilities and Exposures assigned an identifier CVE-2010-3065 to
the following vulnerability:

Name: CVE-2010-3065
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3065
Assigned: 20100820
Reference: MISC: http://php-security.org/2010/05/31/mops-2010-060-php-session-serializer-session-data-injection-vulnerability/index.html
Reference: DEBIAN:DSA-2089
Reference: URL: http://www.debian.org/security/2010/dsa-2089

The default session serializer in PHP 5.2 through 5.2.13 and 5.3
through 5.3.2 does not properly handle the PS_UNDEF_MARKER marker,
which allows context-dependent attackers to modify arbitrary session
variables via a crafted session variable name.

Comment 6 rich 2010-11-11 21:33:41 UTC
Are there any plans to fix this in Red Hat Enterprise 5?  If so, is there a time frame as to when a patch will be available?

Comment 7 Tomas Hoger 2010-11-12 07:30:19 UTC
It's planned to be addressed in the upcoming errata, work on which is already in progress.

Comment 8 errata-xmlrpc 2010-11-29 21:34:10 UTC
This issue has been addressed in following products:

  Red Hat Enterprise Linux 4
  Red Hat Enterprise Linux 5

Via RHSA-2010:0919 https://rhn.redhat.com/errata/RHSA-2010-0919.html

Comment 9 Vincent Danen 2010-11-29 22:37:39 UTC

This issue is not planned to be fixed in Red Hat Enterprise Linux 3 due to this product being in Production 3 of its maintenance life-cycle, where only qualified security errata of important and critical impact are addressed.

For further information about the Errata Support Policy, visit:

Note You need to log in before you can comment on or make changes to this bug.