Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Mon, 20 Jun 2016 18:41:50 +0200
From: Lukas Reschke <>
Subject: CVE request for PHP bug #68978: "XSS in header() with Internet Explorer" (2015)


Considering CVE-2011-1398 ( we believe PHP security bug #68978 ( also warrants a CVE identifier:

> The filtering in header() function is not sufficient and this can lead to header injection and content injection (XSS) when the client is Internet Explorer (in every tested version).
> IE accepts %0A%20 or %0D%0A%20 as separator in HTTP while other browser treat the new line beginning with space as the continuation of the previous header. This can lead to header injection or content injection (basically, XSS) in IE.

PHP’s documentation ( explicitly states that since version 5.2.1 PHP natively prevents header injections:

> This function now prevents more than one header to be sent at once as a protection against header injection attacks.

My understanding is t hat the corresponding upstream commit can be found at 

This has been patched in PHP 5.6.6, 5.5.22 and 5.4.38, since some distributions ship older versions and have not backported this we’re therefore kindly requesting a CVE identifier and making OSS Security aware of this. An issue directly to Ubuntu has been filed at for 14.04.


Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.