Description

PHP 4 before 4.4.5, and PHP 5 before 5.2.1, when register_globals is enabled, allows context-dependent attackers to execute arbitrary code via deserialization of session data, which overwrites arbitrary global variables, as demonstrated by calling session_decode on a string beginning with "_SESSION|s:39:".

Remediation

References

CVE-2007-1701

Related Vulnerabilities

WordPress 4.0.x Multiple Vulnerabilities (4.0 - 4.0.26)

Moodle Other Vulnerability (CVE-2006-4939)

Apache HTTP Server Uncontrolled Resource Consumption Vulnerability (CVE-2009-1891)

e107 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Vulnerability (CVE-2018-11734)

Check for apache versions up to 1.3.25, 2.0.38

Severity

Medium

Classification

CVE-2007-1701 CWE-502

Tags

Missing Update Known Vulnerabilities