Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Tue, 21 Jun 2016 08:00:53 -0400 (EDT)
From: cve-assign@...re.org
To: lukas@...tcloud.com
Cc: cve-assign@...re.org, oss-security@...ts.openwall.com
Subject: Re: CVE request for PHP bug #68978: "XSS in header() with Internet Explorer" (2015)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

> PHP security bug #68978 (https://bugs.php.net/bug.php?id=68978) also
> warrants a CVE identifier:

>> The filtering in header() function is not sufficient and this can
>> lead to header injection and content injection (XSS) when the client
>> is Internet Explorer (in every tested version).

>> IE accepts %0A%20 or %0D%0A%20 as separator in HTTP while other
>> browser treat the new line beginning with space as the continuation
>> of the previous header. This can lead to header injection or content
>> injection (basically, XSS) in IE.

> PHP's documentation (http://php.net/manual/en/function.header.php)
> explicitly states that since version 5.2.1 PHP natively prevents
> header injections:

>> This function now prevents more than one header to be sent at once
>> as a protection against header injection attacks.

> My understanding is that the corresponding upstream commit can be
> found at
> https://github.com/php/php-src/commit/996faf964bba1aec06b153b370a7f20d3dd2bb8b

Use CVE-2015-8935.

- -- 
CVE Assignment Team
M/S M300, 202 Burlington Road, Bedford, MA 01730 USA
[ A PGP key is available for encrypted communications at
  http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJXaSwPAAoJEHb/MwWLVhi2PwAP/RxDG+I/240T4Bof1AeJd/0e
h4da07InmmtISwUyEQJQVJMnZt+A0ewrwn+Ipdm8haaqwO3fsIrm0eRk2HR8VZQE
Wf7cq1FIPaIwCTaAAEBOpMhXN3/A/GnOJC8gzKFZIvbDTFbs8F6kE6JBB3E52B07
G940pVZtWNjhyeloo543q2Xt0eFy1CmFqxsf3vTQHgXU1y+twgpW9fd1kbyfz70t
Cj53kZW8jcShxLzCc6nDeT91sBWM54v24h8zAiUCLMLCDvahfYzfOqqXRZHhEhcc
sSkft1FdBO8ED4FXZ8r1n6hRdMrrbi2Y0DNxCxoEm77Yz6gqMg267RqxHbLdBVK+
5f2WOc1Xhy3K09ORxjlu0fgqnSp9MhEwaQqo1oOu9xgQNvjKbn4gulSTH68St35h
6zISQrWWYO/T9g/G+dEF/K/oNrjwfvhLdiGd4Np4GA/Z3rmBREXNCpjZ8lYQzZrk
YoGWg5xSCkcy0W9uh0H6A/d9aDRKxixATbOx7HvaxeAB6jd7Xgr4Jlq7bbLPu1qu
IqPrlNfES06j/06CFtdee6iPcBLz80gM/A5yxQ5fi/+nakkhb7PWYBQc9ilkChkq
3DLtFno9zuERUN1skN2lsfSB8/dCWuhtzlCJFAENgw7BE3CkSDQ/x6oW7ELSK39k
mP+W41Ni4/lIlRuf8zZn
=0A1M
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ