CVE request for PHP bug #68978: "XSS in header() with Internet Explorer" (2015)

[Lukas Reschke <lukas () nextcloud com>]

Hi,

Considering CVE-2011-1398 (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1398) we believe PHP security bug 
#68978 (https://bugs.php.net/bug.php?id=68978) also warrants a CVE identifier:

> The filtering in header() function is not sufficient and this can lead to header injection and content injection 
> (XSS) when the client is Internet Explorer (in every tested version).
> IE accepts %0A%20 or %0D%0A%20 as separator in HTTP while other browser treat the new line beginning with space as 
> the continuation of the previous header. This can lead to header injection or content injection (basically, XSS) in 
> IE.

PHP’s documentation (http://php.net/manual/en/function.header.php) explicitly states that since version 5.2.1 PHP 
natively prevents header injections:

> This function now prevents more than one header to be sent at once as a protection against header injection attacks.

My understanding is t hat the corresponding upstream commit can be found at 
https://github.com/php/php-src/commit/996faf964bba1aec06b153b370a7f20d3dd2bb8b 

This has been patched in PHP 5.6.6, 5.5.22 and 5.4.38, since some distributions ship older versions and have not 
backported this we’re therefore kindly requesting a CVE identifier and making OSS Security aware of this. An issue 
directly to Ubuntu has been filed at https://bugs.launchpad.net/ubuntu/+source/php5/+bug/1594041 for 14.04.

Thanks,
Lukas