CVE-2007-1396

Name of the Vulnerable Software and Affected Versions PHP versions 4.0.7 through 4.4.6 PHP versions 5.x before 5.2.2

Description The import request variables function, when called without a prefix, does not prevent the GET, POST, COOKIE, FILES, SERVER, SESSION, and other superglobals from being overwritten. This allows remote attackers to spoof source IP address and Referer data, and have other unspecified impact.

Recommendations For PHP versions 4.0.7 through 4.4.6, update to a version later than 4.4.6 or apply a patch that fixes the import request variables function. For PHP versions 5.x before 5.2.2, update to version 5.2.2 or later to resolve the issue. As a temporary workaround, consider using a prefix when calling the import request variables function to prevent superglobals from being overwritten.