PHP up to 5.2.1 import_request_variables authentication spoofing
| CVSS Meta Temp Score | Current Exploit Price (≈) | CTI Interest Score |
|---|---|---|
| 6.6 | $0-$5k | 0.00 |
Summary
A vulnerability has been found in PHP and classified as critical. This affects the function import_request_variables. The manipulation leads to authentication spoofing.
This vulnerability is traded as CVE-2007-1396. Furthermore, there is an exploit available.
The affected component should be upgraded.
Details
A vulnerability was found in PHP (Programming Language Software). It has been rated as critical. This issue affects the function import_request_variables. The manipulation with an unknown input leads to a authentication spoofing vulnerability. Using CWE to declare the problem leads to CWE-290. This attack-focused weakness is caused by incorrectly implemented authentication schemes that are subject to spoofing attacks. Impacted is confidentiality, integrity, and availability. The summary by CVE is:
The import_request_variables function in PHP 4.0.7 through 4.4.6, and 5.x before 5.2.2, when called without a prefix, does not prevent the (1) GET, (2) POST, (3) COOKIE, (4) FILES, (5) SERVER, (6) SESSION, and other superglobals from being overwritten, which allows remote attackers to spoof source IP address and Referer data, and have other unspecified impact. NOTE: it could be argued that this is a design limitation of PHP and that only the misuse of this feature, i.e. implementation bugs in applications, should be included in CVE. However, it has been fixed by the vendor.
The bug was discovered 03/08/2007. The weakness was shared 03/10/2007 by Stefano Di Paola (Website). The advisory is shared at securityfocus.com. The identification of this vulnerability is CVE-2007-1396 since 03/10/2007. The attack may be initiated remotely. No form of authentication is needed for a successful exploitation. Technical details as well as a public exploit are known.
A public exploit has been developed in Shell File. The exploit is available at securityfocus.com. It is declared as proof-of-concept. The vulnerability was handled as a non-public zero-day exploit for at least 2 days. During that time the estimated underground price was around $5k-$25k. The vulnerability scanner Nessus provides a plugin with the ID 25159 (PHP < 4.4.7 / 5.2.2 Multiple Vulnerabilities), which helps to determine the existence of the flaw in a target environment. It is assigned to the family CGI abuses and running in the context r. The commercial vulnerability scanner Qualys is able to test this issue with plugin 165067 (SUSE Security Update for php4, php5 (SUSE-SA:2007:044)).
Upgrading eliminates this vulnerability.
The vulnerability is also documented in the databases at X-Force (33152), Tenable (25159), SecurityFocus (BID 22886†), OSVDB (34673†) and Secunia (SA26048†). The entries VDB-35871, VDB-35862, VDB-35861 and VDB-35763 are related to this item. If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Product
Type
Name
Version
- 4.0.7
- 4.1.0
- 4.1.1
- 4.1.2
- 4.2.0
- 4.2.1
- 4.2.2
- 4.2.3
- 4.3
- 4.3.1
- 4.3.2
- 4.3.3
- 4.3.4
- 4.3.5
- 4.3.6
- 4.3.7
- 4.3.8
- 4.3.9
- 4.3.10
- 4.3.11
- 4.4.0
- 4.4.1
- 4.4.2
- 4.4.3
- 4.4.4
- 4.4.5
- 4.4.6
- 5.0.0
- 5.0.1
- 5.0.2
- 5.0.3
- 5.0.4
- 5.0.5
- 5.1
- 5.1.0
- 5.1.1
- 5.1.2
- 5.1.3
- 5.1.4
- 5.1.5
- 5.1.6
- 5.2.0
- 5.2.1
License
Website
- Product: https://www.php.org/
CPE 2.3
CPE 2.2
CVSSv4
VulDB Vector: 🔍VulDB Reliability: 🔍
CVSSv3
VulDB Meta Base Score: 7.3VulDB Meta Temp Score: 6.6
VulDB Base Score: 7.3
VulDB Temp Score: 6.6
VulDB Vector: 🔍
VulDB Reliability: 🔍
CVSSv2
| AV | AC | Au | C | I | A |
|---|---|---|---|---|---|
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| Vector | Complexity | Authentication | Confidentiality | Integrity | Availability |
|---|---|---|---|---|---|
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
VulDB Base Score: 🔍
VulDB Temp Score: 🔍
VulDB Reliability: 🔍
NVD Base Score: 🔍
Exploiting
Class: Authentication spoofingCWE: CWE-290 / CWE-287
CAPEC: 🔍
ATT&CK: 🔍
Physical: No
Local: No
Remote: Yes
Availability: 🔍
Access: Public
Status: Proof-of-Concept
Programming Language: 🔍
Download: 🔍
EPSS Score: 🔍
EPSS Percentile: 🔍
Price Prediction: 🔍
Current Price Estimation: 🔍
| 0-Day | Unlock | Unlock | Unlock | Unlock |
|---|---|---|---|---|
| Today | Unlock | Unlock | Unlock | Unlock |
Nessus ID: 25159
Nessus Name: PHP < 4.4.7 / 5.2.2 Multiple Vulnerabilities
Nessus File: 🔍
Nessus Risk: 🔍
Nessus Family: 🔍
Nessus Context: 🔍
OpenVAS ID: 65172
OpenVAS Name: SLES9: Security update for PHP4
OpenVAS File: 🔍
OpenVAS Family: 🔍
Qualys ID: 🔍
Qualys Name: 🔍
Threat Intelligence
Interest: 🔍Active Actors: 🔍
Active APT Groups: 🔍
Countermeasures
Recommended: UpgradeStatus: 🔍
0-Day Time: 🔍
Timeline
03/08/2007 🔍03/09/2007 🔍
03/10/2007 🔍
03/10/2007 🔍
03/10/2007 🔍
03/10/2007 🔍
05/04/2007 🔍
12/30/2007 🔍
03/13/2015 🔍
08/02/2019 🔍
Sources
Product: php.orgAdvisory: securityfocus.com⛔
Researcher: Stefano Di Paola
Status: Not defined
Confirmation: 🔍
CVE: CVE-2007-1396 (🔍)
GCVE (CVE): GCVE-0-2007-1396
GCVE (VulDB): GCVE-100-35549
X-Force: 33152
SecurityFocus: 22886 - PHP Import_Request_Variables Arbitrary Variable Overwrite Vulnerability
Secunia: 26048
OSVDB: 34673 - CVE-2007-1396 - PHP - Spoofing Issue
Vulnerability Center: 17220 - PHP 4.0.7 -4.4.6 and 5- 5.2.2 import_request_variables Function Allows Overwriting of Variables, Medium
scip Labs: https://www.scip.ch/en/?labs.20161013
See also: 🔍
Entry
Created: 03/13/2015 12:16Updated: 08/02/2019 10:30
Changes: 03/13/2015 12:16 (76), 08/02/2019 10:30 (7)
Complete: 🔍
Cache ID: 216::103
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
No comments yet. Languages: en.
Please log in to comment.