Session Identifier Exposure in PEAR HTML_QuickForm_Controller by PEAR
CVE-2005-4731

Currently unrated

Key Information:

Vendor: The PHP Group
Status: Pear Html Quickform Controller
Vendor: CVE Published:; 31 December 2005

🔔 Create The PHP Group Vulnerability Alert

What is CVE-2005-4731?

The PEAR HTML_QuickForm_Controller version 1.0.4 has a vulnerability where the Session Identifier (SID) is exposed within the URL, even when the session.use_only_cookies setting is active. This flaw permits remote attackers to capture the SID through the HTTP Referer header, which can lead to unauthorized access and session hijacking. It is crucial for administrators using this component to take immediate action to mitigate the risks associated with this exposure.

References

http://pear.php.net/package/HTML_QuickForm_Controller/dow...

x_refsource_CONFIRM

http://www.osvdb.org/23766

vdb-entryx_refsource_OSVDB

http://pear.php.net/bugs/bug.php?id=3443

x_refsource_CONFIRM

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability Reserved
Mar 15, 2006
Vulnerability published
Dec 31, 2005