CVE-2007-5899

Publication date 20 November 2007

Last updated 24 July 2024

The output_add_rewrite_var function in PHP before 5.2.5 rewrites local forms in which the ACTION attribute references a non-local URL, which allows remote attackers to obtain potentially sensitive information by reading the requests for this URL, as demonstrated by a rewritten form containing a local session ID.

Status

Show unmaintained releases

No maintained releases are affected by this CVE.

Package	Ubuntu Release	Status
php5	8.04 LTS hardy	Fixed 5.2.4-2ubuntu5.3
	7.10 gutsy	Fixed 5.2.3-1ubuntu6.1
	7.04 feisty	Fixed 5.2.1-0ubuntu1.5
	6.10 edgy	Fixed 5.1.6-1ubuntu2.7
	6.06 LTS dapper	Fixed 5.1.2-1ubuntu3.10

How can I get the fixes?
What do statuses mean?

References

MITRE
NVD
Launchpad
Debian

Related Ubuntu Security Notices (USN)

USN-549-1
PHP vulnerabilities
29 November 2007

USN-628-1
PHP vulnerabilities
23 July 2008

Other references

https://www.cve.org/CVERecord?id=CVE-2007-5899