The default session serializer in PHP 5.2 through 5.2.13 and 5.3 through 5.3.2 does not properly handle the PS_UNDEF_MARKER marker, which allows context-dependent attackers to modify arbitrary session variables via a crafted session variable name.
Name | Vendor | Start Version | End Version |
---|---|---|---|
Php | Php | 5.2.0 (including) | 5.2.0 (including) |
Php | Php | 5.2.1 (including) | 5.2.1 (including) |
Php | Php | 5.2.2 (including) | 5.2.2 (including) |
Php | Php | 5.2.3 (including) | 5.2.3 (including) |
Php | Php | 5.2.4 (including) | 5.2.4 (including) |
Php | Php | 5.2.5 (including) | 5.2.5 (including) |
Php | Php | 5.2.6 (including) | 5.2.6 (including) |
Php | Php | 5.2.7 (including) | 5.2.7 (including) |
Php | Php | 5.2.8 (including) | 5.2.8 (including) |
Php | Php | 5.2.9 (including) | 5.2.9 (including) |
Php | Php | 5.2.10 (including) | 5.2.10 (including) |
Php | Php | 5.2.11 (including) | 5.2.11 (including) |
Php | Php | 5.2.12 (including) | 5.2.12 (including) |
Php | Php | 5.2.13 (including) | 5.2.13 (including) |
Php | Php | 5.3.0 (including) | 5.3.0 (including) |
Php | Php | 5.3.1 (including) | 5.3.1 (including) |
Php | Php | 5.3.2 (including) | 5.3.2 (including) |