CVE-2007-1396
First published: Sat Mar 10 2007(Updated: )
The import_request_variables function in PHP 4.0.7 through 4.4.6, and 5.x before 5.2.2, when called without a prefix, does not prevent the (1) GET, (2) POST, (3) COOKIE, (4) FILES, (5) SERVER, (6) SESSION, and other superglobals from being overwritten, which allows remote attackers to spoof source IP address and Referer data, and have other unspecified impact. NOTE: it could be argued that this is a design limitation of PHP and that only the misuse of this feature, i.e. implementation bugs in applications, should be included in CVE. However, it has been fixed by the vendor.
Credit: cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| PHP | =4.3.9 | |
| PHP | =5.1.5 | |
| PHP | =5.1.2 | |
| PHP | =4.2.0 | |
| PHP | =5.1.1 | |
| PHP | =4.4.4 | |
| PHP | =4.1.0 | |
| PHP | =5.1.6 | |
| PHP | =4.3.4 | |
| PHP | =4.3.0 | |
| PHP | =5.0.5 | |
| PHP | =4.3.6 | |
| PHP | =5.0.1 | |
| PHP | =5.1.4 | |
| PHP | =4.3.7 | |
| PHP | =5.0.4 | |
| PHP | =4.2.2 | |
| PHP | =4.4.2 | |
| PHP | =4.3.2 | |
| PHP | =4.3.11 | |
| PHP | =4.0.7 | |
| PHP | =4.3.3 | |
| PHP | =4.1.1 | |
| PHP | =4.4.3 | |
| PHP | =5.0.3 | |
| PHP | =4.2.3 | |
| PHP | =5.1.0 | |
| PHP | =4.4.5 | |
| PHP | =5.2.0 | |
| PHP | =4.1.2 | |
| PHP | =4.3.1 | |
| PHP | =5.1.3 | |
| PHP | =4.4.0 | |
| PHP | =4.3.10 | |
| PHP | =4.2.1 | |
| PHP | =5.0.2 | |
| PHP | =4.4.6 | |
| PHP | =4.4.1 | |
| PHP | =5.2.1 | |
| PHP | =5.0.0 | |
| PHP | =4.3.8 | |
| PHP | =4.3.5 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://www.securityfocus.com/bid/22886
- http://us2.php.net/releases/4_4_7.php
- http://us2.php.net/releases/5_2_2.php
- http://lists.opensuse.org/opensuse-security-announce/2007-07/msg00006.html
- http://secunia.com/advisories/26048
- http://securityreason.com/securityalert/2406
- http://www.securityfocus.com/archive/1/462800/100/0/threaded
- http://www.securityfocus.com/archive/1/462658/100/0/threaded
- http://www.securityfocus.com/archive/1/462457/100/0/threaded
- http://www.securityfocus.com/archive/1/462263/100/0/threaded
Frequently Asked Questions
What is the severity of CVE-2007-1396?
CVE-2007-1396 has been classified as a medium severity vulnerability.
How do I fix CVE-2007-1396?
To fix CVE-2007-1396, upgrade your PHP installation to version 5.2.2 or later.
Which PHP versions are affected by CVE-2007-1396?
CVE-2007-1396 affects PHP versions 4.0.7 through 4.4.6 and all 5.x versions before 5.2.2.
What is the main issue caused by CVE-2007-1396?
The main issue with CVE-2007-1396 is that it allows remote attackers to overwrite superglobals, potentially leading to security breaches.
Is CVE-2007-1396 a remote code execution vulnerability?
No, CVE-2007-1396 is not classified as a remote code execution vulnerability but rather as an issue that can lead to spoofing and variable manipulation.
- agent/references
- agent/type
- agent/softwarecombine
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/author
- agent/weakness
- agent/severity
- agent/description
- agent/first-publish-date
- agent/event
- agent/source
- agent/tags
- collector/nvd-historical
- agent/software-canonical-lookup-request
- collector/nvd-index
- vendor/php
- canonical/php
- version/php/4.3.9
- version/php/5.1.5
- version/php/5.1.2
- version/php/4.2.0
- version/php/5.1.1
- version/php/4.4.4
- version/php/4.1.0
- version/php/5.1.6
- version/php/4.3.4
- version/php/4.3.0
- version/php/5.0.5
- version/php/4.3.6
- version/php/5.0.1
- version/php/5.1.4
- version/php/4.3.7
- version/php/5.0.4
- version/php/4.2.2
- version/php/4.4.2
- version/php/4.3.2
- version/php/4.3.11
- version/php/4.0.7
- version/php/4.3.3
- version/php/4.1.1
- version/php/4.4.3
- version/php/5.0.3
- version/php/4.2.3
- version/php/5.1.0
- version/php/4.4.5
- version/php/5.2.0
- version/php/4.1.2
- version/php/4.3.1
- version/php/5.1.3
- version/php/4.4.0
- version/php/4.3.10
- version/php/4.2.1
- version/php/5.0.2
- version/php/4.4.6
- version/php/4.4.1
- version/php/5.2.1
- version/php/5.0.0
- version/php/4.3.8
- version/php/4.3.5