Home > Vulnerability Database > CVE-2006-4433

Mend.io Vulnerability Database

CVE-2006-4433

Date: August 28, 2006

PHP before 4.4.3 and 5.x before 5.1.4 does not limit the character set of the session identifier (PHPSESSID) for third party session handlers, which might make it easier for remote attackers to exploit other vulnerabilities by inserting PHP code into the PHPSESSID, which is stored in the session file. NOTE: it could be argued that this not a vulnerability in PHP itself, rather a design limitation that enables certain attacks against session handlers that do not account for this limitation.

Severity Score

7.3

Related Resources (10)

Url: http://www.osvdb.org/28233

Url: http://www.vupen.com/english/advisories/2006/3388

Url: http://securityreason.com/securityalert/1466

Url: https://people.canonical.com/~ubuntu-security/cve/CVE-2006-4433

Url: http://www.hardened-php.net/advisory_052006.128.html

Url: https://nvd.nist.gov/vuln/detail/CVE-2006-4433

Url: http://www.securityfocus.com/archive/1/444263/100/0/threaded

Url: http://www.osvdb.org/28273

Url: http://secunia.com/advisories/21573

Url: https://www.mend.io/vulnerability-database/CVE-2006-4433

Severity Score

7.3

CVSS v3.1

Base Score:	7.3
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	NONE
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	LOW
Integrity (I):	LOW
Availability (A):	LOW

CVSS v2

Base Score:	7.5
Access Vector (AV):	NETWORK
Access Complexity (AC):	LOW
Authentication (AU):	NONE
Confidentiality (C):	PARTIAL
Integrity (I):	PARTIAL
Availability (A):	PARTIAL
Additional information:

Mend.io Vulnerability Database

We found results for “”

CVE-2006-4433

Date: August 28, 2006

Severity Score

Related Resources (10)

Severity Score

CVSS v3.1

CVSS v2

Do you need more information?