Debian Bug report logs - #200736
php4: Cross-site scripting (XSS) vulnerability before 4.3.2

version graph

Package: php4; Maintainer for php4 is (unknown);

Reported by: Hideki Yamane <>

Date: Thu, 10 Jul 2003 08:18:04 UTC

Severity: grave

Tags: security

Fixed in version php4/4:4.3.2+rc3-1

Done: Steve Langasek <>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to, Adam Conrad <>:
Bug#200736; Package php4. Full text and rfc822 format available.

Acknowledgement sent to Hideki Yamane <>:
New Bug report received and forwarded. Copy sent to Adam Conrad <>. Full text and rfc822 format available.

Message #5 received at (full text, mbox):

From: Hideki Yamane <>
To: Debian Bug Tracking System <>
Subject: php4: Cross-site scripting (XSS) vulnerability before 4.3.2
Date: Thu, 10 Jul 2003 17:16:36 +0900
Package: php4
Version: unavailable; reported 2003-07-10
Severity: grave
Tags: security
Justification: user security hole

Dear php maintainer,

 I found information about php vulnerability, Cross-site Scripting issue.

 CVE says(
 "Cross-site scripting (XSS) vulnerability in the transparent SID support
  capability for PHP before 4.3.2 (session.use_trans_sid) allows remote 
  attackers to insert arbitrary script via the PHPSESSID parameter."
 and its details is described in

 users can avoid it by setting, but there is vulnerability though.
 so could you upgrade package? says(
 "This maintenance release solves a lot of bugs found in earlier PHP versions
  and is a strongly recommended upgrade for all users of PHP."
 and 4.3.3rc1 is fixed more.

 if you want to package released one not -rc, you would choice 4.3.2.
 (DON'T USE 4.3.0. it includes CGI vulnerability(fixed in 4.3.1))
 I think packaging 4.3.3(rc) is good solution.


 Hideki Yamane     mailto:henrich @

Reply sent to Steve Langasek <>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Hideki Yamane <>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #10 received at (full text, mbox):

From: Steve Langasek <>
Subject: Bug#200736: fixed in php4 4:4.3.2+rc3-1
Date: Thu, 14 Aug 2003 00:17:18 -0400
We believe that the bug you reported is fixed in the latest version of
php4, which is due to be installed in the Debian FTP archive:

  to pool/main/p/php4/caudium-php4_4.3.2+rc3-1_i386.deb
  to pool/main/p/php4/php4-cgi_4.3.2+rc3-1_i386.deb
  to pool/main/p/php4/php4-curl_4.3.2+rc3-1_i386.deb
  to pool/main/p/php4/php4-dev_4.3.2+rc3-1_all.deb
  to pool/main/p/php4/php4-domxml_4.3.2+rc3-1_i386.deb
  to pool/main/p/php4/php4-gd_4.3.2+rc3-1_i386.deb
  to pool/main/p/php4/php4-imap_4.3.2+rc3-1_i386.deb
  to pool/main/p/php4/php4-ldap_4.3.2+rc3-1_i386.deb
  to pool/main/p/php4/php4-mcal_4.3.2+rc3-1_i386.deb
  to pool/main/p/php4/php4-mhash_4.3.2+rc3-1_i386.deb
  to pool/main/p/php4/php4-mysql_4.3.2+rc3-1_i386.deb
  to pool/main/p/php4/php4-odbc_4.3.2+rc3-1_i386.deb
  to pool/main/p/php4/php4-pear_4.3.2+rc3-1_all.deb
  to pool/main/p/php4/php4-recode_4.3.2+rc3-1_i386.deb
  to pool/main/p/php4/php4-snmp_4.3.2+rc3-1_i386.deb
  to pool/main/p/php4/php4-sybase_4.3.2+rc3-1_i386.deb
  to pool/main/p/php4/php4-xslt_4.3.2+rc3-1_i386.deb
  to pool/main/p/php4/php4_4.3.2+rc3-1.diff.gz
  to pool/main/p/php4/php4_4.3.2+rc3-1.dsc
  to pool/main/p/php4/php4_4.3.2+rc3-1_i386.deb
  to pool/main/p/php4/php4_4.3.2+rc3.orig.tar.gz

A summary of the changes between this version and the previous one is

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
Steve Langasek <> (supplier of updated php4 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing

Hash: SHA1

Format: 1.7
Date: Wed,  6 Aug 2003 22:43:28 -0500
Source: php4
Binary: php4-cgi php4-sybase php4-recode php4-dev php4-snmp php4-odbc php4-xslt php4-domxml php4-mysql php4-gd php4-ldap php4-imap php4-curl php4 php4-pear php4-mcal caudium-php4 php4-mhash
Architecture: source i386 all
Version: 4:4.3.2+rc3-1
Distribution: unstable
Urgency: low
Maintainer: Adam Conrad <>
Changed-By: Steve Langasek <>
 caudium-php4 - A server-side, HTML-embedded scripting language
 php4       - A server-side, HTML-embedded scripting language
 php4-cgi   - A server-side, HTML-embedded scripting language
 php4-curl  - CURL module for php4
 php4-dev   - Files for PHP4 module development
 php4-domxml - XMLv2 module for php4
 php4-gd    - GD module for php4
 php4-imap  - IMAP module for php4
 php4-ldap  - LDAP module for php4
 php4-mcal  - MCAL calendar module for php4
 php4-mhash - MHASH module for php4
 php4-mysql - MySQL module for php4
 php4-odbc  - ODBC module for php4
 php4-pear  - PEAR - PHP Extension and Application Repository
 php4-recode - Character recoding module for php4
 php4-snmp  - SNMP module for php4
 php4-sybase - Sybase / MS SQL Server module for php4
 php4-xslt  - XSLT module for php4
Closes: 191640 197803 199049 200736
 php4 (4:4.3.2+rc3-1) unstable; urgency=low
   * New upstream version.
     - includes fix for buffer overflow crashes in imap module
       (closes: #191640)
     - includes fix for dysfunctional open_basedir directive
       (closes: #197803)
     - include fix for various XSS vulnerabilities (closes: #200736)
   * Recompile against newest libc-client libs, following another soname
     change (closes: #199049)
   * Replace db2 with db4.
   * Trim down the cgi sapi rules, since it will now build both cli and
     cgi for us by default.
   * Kludge the caudium sapi, by hard-coding the include path we need for
     pike headers.
   * Copy the lex/yacc-generated .c and .h files into the build
     directories, since generating them at build time gives wildly
     different, and undisputably broken, results.
   * Update the install rules so they're compatible with current upstream
     handling of pear and the various SAPIs.
   * Add '=shared' to the --enable-xslt option, to get the right results
     for that extension.
   * Move PEAR extensions from /usr/share/pear to /usr/share/php.
   * Conflict with php4-mysql=4:4.2.3-14, due to bizarre Zend errors.
 f681b09161c5d51a7cff16e2619bb9d7 1510 web optional php4_4.3.2+rc3-1.dsc
 c017717f495cc151077f30ff40606600 4560418 web optional php4_4.3.2+rc3.orig.tar.gz
 bd331a7d85c17b286e1035565e5b023c 88904 web optional php4_4.3.2+rc3-1.diff.gz
 0a047f5cefc99157b2e8729da80cbe77 740920 web optional php4_4.3.2+rc3-1_i386.deb
 3b3ed296c49b996e19ef1cce5ad4d5ef 13224 web optional php4-curl_4.3.2+rc3-1_i386.deb
 c2aeb241ed97a4aa40881e8aed326a6c 31664 web optional php4-domxml_4.3.2+rc3-1_i386.deb
 ebed35ffd7799b159ffd4290d1160b91 23910 web optional php4-gd_4.3.2+rc3-1_i386.deb
 9aab5f0b9f98678e02f3e5750dc7f38b 30544 web optional php4-imap_4.3.2+rc3-1_i386.deb
 53ec1332c5e7e3851ca016ad78ecb824 16330 web optional php4-ldap_4.3.2+rc3-1_i386.deb
 5ba8b8959d78ef9c081c4d19dfff3484 13776 web optional php4-mcal_4.3.2+rc3-1_i386.deb
 874decf304a54c54cb3a7b3455669d3a 5020 web optional php4-mhash_4.3.2+rc3-1_i386.deb
 815fb63ad0a695c3a3594cc465efb214 17788 web optional php4-mysql_4.3.2+rc3-1_i386.deb
 16ce60acec2721c4c0a0cfec5645375e 22688 web optional php4-odbc_4.3.2+rc3-1_i386.deb
 da95cbdf896a29d1d194524731813306 4702 web optional php4-recode_4.3.2+rc3-1_i386.deb
 9fcbd01fdb5493371517a52ce7ec299e 12912 web optional php4-xslt_4.3.2+rc3-1_i386.deb
 77912e3ede10d1220fdf53a22c6c4d40 9480 web optional php4-snmp_4.3.2+rc3-1_i386.deb
 8730ce2f552a09407c91d2edb9e04f7e 15942 web optional php4-sybase_4.3.2+rc3-1_i386.deb
 24d997e027a684bf6b06d386dc377cbc 1270038 web optional php4-cgi_4.3.2+rc3-1_i386.deb
 4e87e633fd8ed5b20bccaba5e2cd725d 941244 web optional caudium-php4_4.3.2+rc3-1_i386.deb
 f3ef78af6a45f41d713934e9f8cbbb37 791818 devel optional php4-dev_4.3.2+rc3-1_all.deb
 a29fe77193efa9dc9234201d7b7e4aa0 276168 web optional php4-pear_4.3.2+rc3-1_all.deb

Version: GnuPG v1.2.2 (GNU/Linux)


Send a report that this bug log contains spam.

Debian bug tracking system administrator <>. Last modified: Fri Apr 25 06:59:22 2014; Machine Name:

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.