CVE-2007-3799

Name of the Vulnerable Software and Affected Versions: PHP versions 4.x up to 4.4.7 PHP versions 5.x up to 5.2.3

Description: The issue allows remote attackers to insert arbitrary attributes into the session cookie via special characters in a cookie. This is obtained from PATH INFO, the session id function, and the session start function, which are not encoded or filtered when the new session cookie is generated.

Recommendations: For PHP versions 4.x up to 4.4.7, update to a version later than 4.4.7 to resolve the issue. For PHP versions 5.x up to 5.2.3, update to a version later than 5.2.3 to resolve the issue. As a temporary workaround, consider filtering or encoding special characters in cookies obtained from PATH INFO, the session id function, and the session start function to minimize the risk of exploitation.