CVE-2007-1287

Name of the Vulnerable Software and Affected Versions PHP versions 4.4.3 through 4.4.6 PHP version 6.0 in CVS

Description The issue allows remote attackers to conduct cross-site scripting (XSS) attacks via GET, POST, or COOKIE array values, which are not escaped in the phpinfo output. This could enable a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

Recommendations For PHP versions 4.4.3 through 4.4.6, consider disabling the phpinfo function until a patch is available. For PHP version 6.0 in CVS, restrict access to the phpinfo output to minimize the risk of exploitation. Avoid using user-supplied arrays in GET, POST, or COOKIE variables upon submission to phpinfo() until the issue is resolved.