Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Web :: PHP :: dsa-351.htm

php4 - cross-site scripting



Debian Security Advisory

DSA-351-1 php4 -- cross-site scripting

Date Reported:
16 Jul 2003
Affected Packages:
php4
Vulnerable:
Yes
Security database references:
In Mitre's CVE dictionary: CAN-2003-0442.
More information:

The transparent session ID feature in the php4 package does not properly escape user-supplied input before inserting it into the generated HTML page. An attacker could use this vulnerability to execute embedded scripts within the context of the generated page.

For the stable distribution (woody) this problem has been fixed in version 4:4.1.2-6woody3.

For the unstable distribution (sid) this problem will be fixed soon. Refer to Debian bug #200736.

We recommend that you update your php4 package.

Fixed in:

Debian GNU/Linux 3.0 (woody)

Source:
http://security.debian.org/pool/updates/main/p/php4/php4_4.1.2-6woody3.dsc
http://security.debian.org/pool/updates/main/p/php4/php4_4.1.2-6woody3.diff.gz
http://security.debian.org/pool/updates/main/p/php4/php4_4.1.2.orig.tar.gz
Architecture-independent component:
http://security.debian.org/pool/updates/main/p/php4/php4-dev_4.1.2-6woody3_all.deb
http://security.debian.org/pool/updates/main/p/php4/php4-pear_4.1.2-6woody3_all.deb
Alpha:
http://security.debian.org/pool/updates/main/p/php4/caudium-php4_4.1.2-6woody3_alpha.deb
http://security.debian.org/pool/updates/main/p/php4/php4_4.1.2-6woody3_alpha.deb
http://security.debian.org/pool/updates/main/p/php4/php4-cgi_4.1.2-6woody3_alpha.deb
http://security.debian.org/pool/updates/main/p/php4/php4-curl_4.1.2-6woody3_alpha.deb
http://security.debian.org/pool/updates/main/p/php4/php4-domxml_4.1.2-6woody3_alpha.deb
http://security.debian.org/pool/updates/main/p/php4/php4-gd_4.1.2-6woody3_alpha.deb
http://security.debian.org/pool/updates/main/p/php4/php4-imap_4.1.2-6woody3_alpha.deb
http://security.debian.org/pool/updates/main/p/php4/php4-ldap_4.1.2-6woody3_alpha.deb
http://security.debian.org/pool/updates/main/p/php4/php4-mcal_4.1.2-6woody3_alpha.deb
http://security.debian.org/pool/updates/main/p/php4/php4-mhash_4.1.2-6woody3_alpha.deb
http://security.debian.org/pool/updates/main/p/php4/php4-mysql_4.1.2-6woody3_alpha.deb
http://security.debian.org/pool/updates/main/p/php4/php4-odbc_4.1.2-6woody3_alpha.deb
http://security.debian.org/pool/updates/main/p/php4/php4-recode_4.1.2-6woody3_alpha.deb
http://security.debian.org/pool/updates/main/p/php4/php4-snmp_4.1.2-6woody3_alpha.deb
http://security.debian.org/pool/updates/main/p/php4/php4-sybase_4.1.2-6woody3_alpha.deb
http://security.debian.org/pool/updates/main/p/php4/php4-xslt_4.1.2-6woody3_alpha.deb
ARM:
http://security.debian.org/pool/updates/main/p/php4/caudium-php4_4.1.2-6woody3_arm.deb
http://security.debian.org/pool/updates/main/p/php4/php4_4.1.2-6woody3_arm.deb
http://security.debian.org/pool/updates/main/p/php4/php4-cgi_4.1.2-6woody3_arm.deb
http://security.debian.org/pool/updates/main/p/php4/php4-curl_4.1.2-6woody3_arm.deb
http://security.debian.org/pool/updates/main/p/php4/php4-domxml_4.1.2-6woody3_arm.deb
http://security.debian.org/pool/updates/main/p/php4/php4-gd_4.1.2-6woody3_arm.deb
http://security.debian.org/pool/updates/main/p/php4/php4-imap_4.1.2-6woody3_arm.deb
http://security.debian.org/pool/updates/main/p/php4/php4-ldap_4.1.2-6woody3_arm.deb
http://security.debian.org/pool/updates/main/p/php4/php4-mcal_4.1.2-6woody3_arm.deb
http://security.debian.org/pool/updates/main/p/php4/php4-mhash_4.1.2-6woody3_arm.deb
http://security.debian.org/pool/updates/main/p/php4/php4-mysql_4.1.2-6woody3_arm.deb
http://security.debian.org/pool/updates/main/p/php4/php4-odbc_4.1.2-6woody3_arm.deb
http://security.debian.org/pool/updates/main/p/php4/php4-recode_4.1.2-6woody3_arm.deb
http://security.debian.org/pool/updates/main/p/php4/php4-snmp_4.1.2-6woody3_arm.deb
http://security.debian.org/pool/updates/main/p/php4/php4-sybase_4.1.2-6woody3_arm.deb
http://security.debian.org/pool/updates/main/p/php4/php4-xslt_4.1.2-6woody3_arm.deb
Intel IA-32:
http://security.debian.org/pool/updates/main/p/php4/caudium-php4_4.1.2-6woody3_i386.deb
http://security.debian.org/pool/updates/main/p/php4/php4_4.1.2-6woody3_i386.deb
http://security.debian.org/pool/updates/main/p/php4/php4-cgi_4.1.2-6woody3_i386.deb
http://security.debian.org/pool/updates/main/p/php4/php4-curl_4.1.2-6woody3_i386.deb
http://security.debian.org/pool/updates/main/p/php4/php4-domxml_4.1.2-6woody3_i386.deb
http://security.debian.org/pool/updates/main/p/php4/php4-gd_4.1.2-6woody3_i386.deb
http://security.debian.org/pool/updates/main/p/php4/php4-imap_4.1.2-6woody3_i386.deb
http://security.debian.org/pool/updates/main/p/php4/php4-ldap_4.1.2-6woody3_i386.deb
http://security.debian.org/pool/updates/main/p/php4/php4-mcal_4.1.2-6woody3_i386.deb
http://security.debian.org/pool/updates/main/p/php4/php4-mhash_4.1.2-6woody3_i386.deb
http://security.debian.org/pool/updates/main/p/php4/php4-mysql_4.1.2-6woody3_i386.deb
http://security.debian.org/pool/updates/main/p/php4/php4-odbc_4.1.2-6woody3_i386.deb
http://security.debian.org/pool/updates/main/p/php4/php4-recode_4.1.2-6woody3_i386.deb
http://security.debian.org/pool/updates/main/p/php4/php4-snmp_4.1.2-6woody3_i386.deb
http://security.debian.org/pool/updates/main/p/php4/php4-sybase_4.1.2-6woody3_i386.deb
http://security.debian.org/pool/updates/main/p/php4/php4-xslt_4.1.2-6woody3_i386.deb
Intel IA-64:
http://security.debian.org/pool/updates/main/p/php4/caudium-php4_4.1.2-6woody3_ia64.deb
http://security.debian.org/pool/updates/main/p/php4/php4_4.1.2-6woody3_ia64.deb
http://security.debian.org/pool/updates/main/p/php4/php4-cgi_4.1.2-6woody3_ia64.deb
http://security.debian.org/pool/updates/main/p/php4/php4-curl_4.1.2-6woody3_ia64.deb
http://security.debian.org/pool/updates/main/p/php4/php4-domxml_4.1.2-6woody3_ia64.deb
http://security.debian.org/pool/updates/main/p/php4/php4-gd_4.1.2-6woody3_ia64.deb
http://security.debian.org/pool/updates/main/p/php4/php4-imap_4.1.2-6woody3_ia64.deb
http://security.debian.org/pool/updates/main/p/php4/php4-ldap_4.1.2-6woody3_ia64.deb
http://security.debian.org/pool/updates/main/p/php4/php4-mcal_4.1.2-6woody3_ia64.deb
http://security.debian.org/pool/updates/main/p/php4/php4-mhash_4.1.2-6woody3_ia64.deb
http://security.debian.org/pool/updates/main/p/php4/php4-mysql_4.1.2-6woody3_ia64.deb
http://security.debian.org/pool/updates/main/p/php4/php4-odbc_4.1.2-6woody3_ia64.deb
http://security.debian.org/pool/updates/main/p/php4/php4-recode_4.1.2-6woody3_ia64.deb
http://security.debian.org/pool/updates/main/p/php4/php4-snmp_4.1.2-6woody3_ia64.deb
http://security.debian.org/pool/updates/main/p/php4/php4-sybase_4.1.2-6woody3_ia64.deb
http://security.debian.org/pool/updates/main/p/php4/php4-xslt_4.1.2-6woody3_ia64.deb
HPPA:
http://security.debian.org/pool/updates/main/p/php4/caudium-php4_4.1.2-6woody3_hppa.deb
http://security.debian.org/pool/updates/main/p/php4/php4_4.1.2-6woody3_hppa.deb
http://security.debian.org/pool/updates/main/p/php4/php4-cgi_4.1.2-6woody3_hppa.deb
http://security.debian.org/pool/updates/main/p/php4/php4-curl_4.1.2-6woody3_hppa.deb
http://security.debian.org/pool/updates/main/p/php4/php4-domxml_4.1.2-6woody3_hppa.deb
http://security.debian.org/pool/updates/main/p/php4/php4-gd_4.1.2-6woody3_hppa.deb
http://security.debian.org/pool/updates/main/p/php4/php4-imap_4.1.2-6woody3_hppa.deb
http://security.debian.org/pool/updates/main/p/php4/php4-ldap_4.1.2-6woody3_hppa.deb
http://security.debian.org/pool/updates/main/p/php4/php4-mcal_4.1.2-6woody3_hppa.deb
http://security.debian.org/pool/updates/main/p/php4/php4-mhash_4.1.2-6woody3_hppa.deb
http://security.debian.org/pool/updates/main/p/php4/php4-mysql_4.1.2-6woody3_hppa.deb
http://security.debian.org/pool/updates/main/p/php4/php4-odbc_4.1.2-6woody3_hppa.deb
http://security.debian.org/pool/updates/main/p/php4/php4-recode_4.1.2-6woody3_hppa.deb
http://security.debian.org/pool/updates/main/p/php4/php4-snmp_4.1.2-6woody3_hppa.deb
http://security.debian.org/pool/updates/main/p/php4/php4-sybase_4.1.2-6woody3_hppa.deb
http://security.debian.org/pool/updates/main/p/php4/php4-xslt_4.1.2-6woody3_hppa.deb
Motorola 680x0:
http://security.debian.org/pool/updates/main/p/php4/caudium-php4_4.1.2-6woody3_m68k.deb
http://security.debian.org/pool/updates/main/p/php4/php4_4.1.2-6woody3_m68k.deb
http://security.debian.org/pool/updates/main/p/php4/php4-cgi_4.1.2-6woody3_m68k.deb
http://security.debian.org/pool/updates/main/p/php4/php4-curl_4.1.2-6woody3_m68k.deb
http://security.debian.org/pool/updates/main/p/php4/php4-domxml_4.1.2-6woody3_m68k.deb
http://security.debian.org/pool/updates/main/p/php4/php4-gd_4.1.2-6woody3_m68k.deb
http://security.debian.org/pool/updates/main/p/php4/php4-imap_4.1.2-6woody3_m68k.deb
http://security.debian.org/pool/updates/main/p/php4/php4-ldap_4.1.2-6woody3_m68k.deb
http://security.debian.org/pool/updates/main/p/php4/php4-mcal_4.1.2-6woody3_m68k.deb
http://security.debian.org/pool/updates/main/p/php4/php4-mhash_4.1.2-6woody3_m68k.deb
http://security.debian.org/pool/updates/main/p/php4/php4-mysql_4.1.2-6woody3_m68k.deb
http://security.debian.org/pool/updates/main/p/php4/php4-odbc_4.1.2-6woody3_m68k.deb
http://security.debian.org/pool/updates/main/p/php4/php4-recode_4.1.2-6woody3_m68k.deb
http://security.debian.org/pool/updates/main/p/php4/php4-snmp_4.1.2-6woody3_m68k.deb
http://security.debian.org/pool/updates/main/p/php4/php4-sybase_4.1.2-6woody3_m68k.deb
http://security.debian.org/pool/updates/main/p/php4/php4-xslt_4.1.2-6woody3_m68k.deb
Big endian MIPS:
http://security.debian.org/pool/updates/main/p/php4/caudium-php4_4.1.2-6woody3_mips.deb
http://security.debian.org/pool/updates/main/p/php4/php4_4.1.2-6woody3_mips.deb
http://security.debian.org/pool/updates/main/p/php4/php4-cgi_4.1.2-6woody3_mips.deb
http://security.debian.org/pool/updates/main/p/php4/php4-curl_4.1.2-6woody3_mips.deb
http://security.debian.org/pool/updates/main/p/php4/php4-domxml_4.1.2-6woody3_mips.deb
http://security.debian.org/pool/updates/main/p/php4/php4-gd_4.1.2-6woody3_mips.deb
http://security.debian.org/pool/updates/main/p/php4/php4-imap_4.1.2-6woody3_mips.deb
http://security.debian.org/pool/updates/main/p/php4/php4-ldap_4.1.2-6woody3_mips.deb
http://security.debian.org/pool/updates/main/p/php4/php4-mcal_4.1.2-6woody3_mips.deb
http://security.debian.org/pool/updates/main/p/php4/php4-mhash_4.1.2-6woody3_mips.deb
http://security.debian.org/pool/updates/main/p/php4/php4-mysql_4.1.2-6woody3_mips.deb
http://security.debian.org/pool/updates/main/p/php4/php4-odbc_4.1.2-6woody3_mips.deb
http://security.debian.org/pool/updates/main/p/php4/php4-recode_4.1.2-6woody3_mips.deb
http://security.debian.org/pool/updates/main/p/php4/php4-snmp_4.1.2-6woody3_mips.deb
http://security.debian.org/pool/updates/main/p/php4/php4-sybase_4.1.2-6woody3_mips.deb
http://security.debian.org/pool/updates/main/p/php4/php4-xslt_4.1.2-6woody3_mips.deb
Little endian MIPS:
http://security.debian.org/pool/updates/main/p/php4/caudium-php4_4.1.2-6woody3_mipsel.deb
http://security.debian.org/pool/updates/main/p/php4/php4_4.1.2-6woody3_mipsel.deb
http://security.debian.org/pool/updates/main/p/php4/php4-cgi_4.1.2-6woody3_mipsel.deb
http://security.debian.org/pool/updates/main/p/php4/php4-curl_4.1.2-6woody3_mipsel.deb
http://security.debian.org/pool/updates/main/p/php4/php4-domxml_4.1.2-6woody3_mipsel.deb
http://security.debian.org/pool/updates/main/p/php4/php4-gd_4.1.2-6woody3_mipsel.deb
http://security.debian.org/pool/updates/main/p/php4/php4-imap_4.1.2-6woody3_mipsel.deb
http://security.debian.org/pool/updates/main/p/php4/php4-ldap_4.1.2-6woody3_mipsel.deb
http://security.debian.org/pool/updates/main/p/php4/php4-mcal_4.1.2-6woody3_mipsel.deb
http://security.debian.org/pool/updates/main/p/php4/php4-mhash_4.1.2-6woody3_mipsel.deb
http://security.debian.org/pool/updates/main/p/php4/php4-mysql_4.1.2-6woody3_mipsel.deb
http://security.debian.org/pool/updates/main/p/php4/php4-odbc_4.1.2-6woody3_mipsel.deb
http://security.debian.org/pool/updates/main/p/php4/php4-recode_4.1.2-6woody3_mipsel.deb
http://security.debian.org/pool/updates/main/p/php4/php4-snmp_4.1.2-6woody3_mipsel.deb
http://security.debian.org/pool/updates/main/p/php4/php4-sybase_4.1.2-6woody3_mipsel.deb
http://security.debian.org/pool/updates/main/p/php4/php4-xslt_4.1.2-6woody3_mipsel.deb
PowerPC:
http://security.debian.org/pool/updates/main/p/php4/caudium-php4_4.1.2-6woody3_powerpc.deb
http://security.debian.org/pool/updates/main/p/php4/php4_4.1.2-6woody3_powerpc.deb
http://security.debian.org/pool/updates/main/p/php4/php4-cgi_4.1.2-6woody3_powerpc.deb
http://security.debian.org/pool/updates/main/p/php4/php4-curl_4.1.2-6woody3_powerpc.deb
http://security.debian.org/pool/updates/main/p/php4/php4-domxml_4.1.2-6woody3_powerpc.deb
http://security.debian.org/pool/updates/main/p/php4/php4-gd_4.1.2-6woody3_powerpc.deb
http://security.debian.org/pool/updates/main/p/php4/php4-imap_4.1.2-6woody3_powerpc.deb
http://security.debian.org/pool/updates/main/p/php4/php4-ldap_4.1.2-6woody3_powerpc.deb
http://security.debian.org/pool/updates/main/p/php4/php4-mcal_4.1.2-6woody3_powerpc.deb
http://security.debian.org/pool/updates/main/p/php4/php4-mhash_4.1.2-6woody3_powerpc.deb
http://security.debian.org/pool/updates/main/p/php4/php4-mysql_4.1.2-6woody3_powerpc.deb
http://security.debian.org/pool/updates/main/p/php4/php4-odbc_4.1.2-6woody3_powerpc.deb
http://security.debian.org/pool/updates/main/p/php4/php4-recode_4.1.2-6woody3_powerpc.deb
http://security.debian.org/pool/updates/main/p/php4/php4-snmp_4.1.2-6woody3_powerpc.deb
http://security.debian.org/pool/updates/main/p/php4/php4-sybase_4.1.2-6woody3_powerpc.deb
http://security.debian.org/pool/updates/main/p/php4/php4-xslt_4.1.2-6woody3_powerpc.deb
IBM S/390:
http://security.debian.org/pool/updates/main/p/php4/caudium-php4_4.1.2-6woody3_s390.deb
http://security.debian.org/pool/updates/main/p/php4/php4_4.1.2-6woody3_s390.deb
http://security.debian.org/pool/updates/main/p/php4/php4-cgi_4.1.2-6woody3_s390.deb
http://security.debian.org/pool/updates/main/p/php4/php4-curl_4.1.2-6woody3_s390.deb
http://security.debian.org/pool/updates/main/p/php4/php4-domxml_4.1.2-6woody3_s390.deb
http://security.debian.org/pool/updates/main/p/php4/php4-gd_4.1.2-6woody3_s390.deb
http://security.debian.org/pool/updates/main/p/php4/php4-imap_4.1.2-6woody3_s390.deb
http://security.debian.org/pool/updates/main/p/php4/php4-ldap_4.1.2-6woody3_s390.deb
http://security.debian.org/pool/updates/main/p/php4/php4-mcal_4.1.2-6woody3_s390.deb
http://security.debian.org/pool/updates/main/p/php4/php4-mhash_4.1.2-6woody3_s390.deb
http://security.debian.org/pool/updates/main/p/php4/php4-mysql_4.1.2-6woody3_s390.deb
http://security.debian.org/pool/updates/main/p/php4/php4-odbc_4.1.2-6woody3_s390.deb
http://security.debian.org/pool/updates/main/p/php4/php4-recode_4.1.2-6woody3_s390.deb
http://security.debian.org/pool/updates/main/p/php4/php4-snmp_4.1.2-6woody3_s390.deb
http://security.debian.org/pool/updates/main/p/php4/php4-sybase_4.1.2-6woody3_s390.deb
http://security.debian.org/pool/updates/main/p/php4/php4-xslt_4.1.2-6woody3_s390.deb
Sun Sparc:
http://security.debian.org/pool/updates/main/p/php4/caudium-php4_4.1.2-6woody3_sparc.deb
http://security.debian.org/pool/updates/main/p/php4/php4_4.1.2-6woody3_sparc.deb
http://security.debian.org/pool/updates/main/p/php4/php4-cgi_4.1.2-6woody3_sparc.deb
http://security.debian.org/pool/updates/main/p/php4/php4-curl_4.1.2-6woody3_sparc.deb
http://security.debian.org/pool/updates/main/p/php4/php4-domxml_4.1.2-6woody3_sparc.deb
http://security.debian.org/pool/updates/main/p/php4/php4-gd_4.1.2-6woody3_sparc.deb
http://security.debian.org/pool/updates/main/p/php4/php4-imap_4.1.2-6woody3_sparc.deb
http://security.debian.org/pool/updates/main/p/php4/php4-ldap_4.1.2-6woody3_sparc.deb
http://security.debian.org/pool/updates/main/p/php4/php4-mcal_4.1.2-6woody3_sparc.deb
http://security.debian.org/pool/updates/main/p/php4/php4-mhash_4.1.2-6woody3_sparc.deb
http://security.debian.org/pool/updates/main/p/php4/php4-mysql_4.1.2-6woody3_sparc.deb
http://security.debian.org/pool/updates/main/p/php4/php4-odbc_4.1.2-6woody3_sparc.deb
http://security.debian.org/pool/updates/main/p/php4/php4-recode_4.1.2-6woody3_sparc.deb
http://security.debian.org/pool/updates/main/p/php4/php4-snmp_4.1.2-6woody3_sparc.deb
http://security.debian.org/pool/updates/main/p/php4/php4-sybase_4.1.2-6woody3_sparc.deb
http://security.debian.org/pool/updates/main/p/php4/php4-xslt_4.1.2-6woody3_sparc.deb

MD5 checksums of the listed files are available in the original advisory.



TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH