Input validation error in PHP - CVE-2009-4143
Published: October 30, 2018 / Updated: June 8, 2025
Vulnerability identifier: #VU110315
CSH Severity: High
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber
CVE-ID: CVE-2009-4143
CWE-ID: CWE-20
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
PHP
PHP
Software vendor:
PHP Group
PHP Group
Description
The vulnerability allows a remote non-authenticated attacker to execute arbitrary code.
PHP before 5.2.12 does not properly handle session data, which has unspecified impact and attack vectors related to (1) interrupt corruption of the SESSION superglobal array and (2) the session.save_path directive.
Remediation
Install update from vendor's website.
External links
- http://lists.apple.com/archives/security-announce/2010//Mar/msg00001.html
- http://marc.info/?l=bugtraq&m=127680701405735&w=2
- http://secunia.com/advisories/37821
- http://secunia.com/advisories/38648
- http://secunia.com/advisories/40262
- http://secunia.com/advisories/41480
- http://secunia.com/advisories/41490
- http://support.apple.com/kb/HT4077
- http://www.debian.org/security/2010/dsa-2001
- http://www.itrc.hp.com/service/cki/docDisplay.do?docId=emr_na-c02512995
- http://www.mandriva.com/security/advisories?name=MDVSA-2010:045
- http://www.php.net/ChangeLog-5.php
- http://www.php.net/releases/5_2_12.php
- http://www.securityfocus.com/bid/37390
- http://www.vupen.com/english/advisories/2009/3593
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A7439