Stefan Esser discovered that PHP did not properly handle PS_UNDEF_MARKER ('!') character in session variable names. In cases where PHP script generated session variable names from untrusted user input, a malicious user could use this flaw to inject arbitrary variable into session. This could create additional attack vector for exploiting other possible unserialization flaws.
Upstream fix, added in 5.3.3 and 5.2.14:
Common Vulnerabilities and Exposures assigned an identifier CVE-2010-3065 to
the following vulnerability:
Reference: MISC: http://php-security.org/2010/05/31/mops-2010-060-php-session-serializer-session-data-injection-vulnerability/index.html
Reference: URL: http://www.debian.org/security/2010/dsa-2089
The default session serializer in PHP 5.2 through 5.2.13 and 5.3
through 5.3.2 does not properly handle the PS_UNDEF_MARKER marker,
which allows context-dependent attackers to modify arbitrary session
variables via a crafted session variable name.
Are there any plans to fix this in Red Hat Enterprise 5? If so, is there a time frame as to when a patch will be available?
It's planned to be addressed in the upcoming errata, work on which is already in progress.
This issue has been addressed in following products:
Red Hat Enterprise Linux 4
Red Hat Enterprise Linux 5
Via RHSA-2010:0919 https://rhn.redhat.com/errata/RHSA-2010-0919.html
This issue is not planned to be fixed in Red Hat Enterprise Linux 3 due to this product being in Production 3 of its maintenance life-cycle, where only qualified security errata of important and critical impact are addressed.
For further information about the Errata Support Policy, visit: