New Search

PHP 4 before 4.4.5 and PHP 5 before 5.2.1 when register_globals is enabled allows context-dependent attackers to execute arbitrary code via deserialization of session data which overwrites arbitrary global variables as demonstrated by calling session_decode on a string beginning with "_SESSIONs:39:".

oval:org.mitre.oval:def:11034

PHP 4 before 4.4.5 and PHP 5 before 5.2.1 when register_globals is enabled allows context-dependent attackers to execute arbitrary code via deserialization of session data which overwrites arbitrary global variables as demonstrated by calling session_decode on a string beginning with "_SESSION|s:39:".

Family:
unix
Status:
ACCEPTED
Platform(s):
  • CentOS Linux 4
  • Oracle Linux 5
  • Oracle Linux 4
  • CentOS Linux 3
  • Red Hat Enterprise Linux 3
  • Red Hat Enterprise Linux 5
  • CentOS Linux 5
  • Red Hat Enterprise Linux 4
Class:
vulnerability
Reference(s):
  • CVE-2007-1701
Product(s):