Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!

TUCoPS :: Web :: PHP :: dsa-351.htm

php4 - cross-site scripting

Debian Security Advisory

DSA-351-1 php4 -- cross-site scripting

Date Reported:
16 Jul 2003
Affected Packages:
Security database references:
In Mitre's CVE dictionary: CAN-2003-0442.
More information:

The transparent session ID feature in the php4 package does not properly escape user-supplied input before inserting it into the generated HTML page. An attacker could use this vulnerability to execute embedded scripts within the context of the generated page.

For the stable distribution (woody) this problem has been fixed in version 4:4.1.2-6woody3.

For the unstable distribution (sid) this problem will be fixed soon. Refer to Debian bug #200736.

We recommend that you update your php4 package.

Fixed in:

Debian GNU/Linux 3.0 (woody)

Architecture-independent component:
Intel IA-32:
Intel IA-64:
Motorola 680x0:
Big endian MIPS:
Little endian MIPS:
IBM S/390:
Sun Sparc:

MD5 checksums of the listed files are available in the original advisory.

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2015 AOH