oss-sec mailing list archives
CVE request for PHP bug #68978: "XSS in header() with Internet Explorer" (2015)
From: Lukas Reschke <lukas () nextcloud com>
Date: Mon, 20 Jun 2016 18:41:50 +0200
Hi, Considering CVE-2011-1398 (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1398) we believe PHP security bug #68978 (https://bugs.php.net/bug.php?id=68978) also warrants a CVE identifier:
The filtering in header() function is not sufficient and this can lead to header injection and content injection (XSS) when the client is Internet Explorer (in every tested version). IE accepts %0A%20 or %0D%0A%20 as separator in HTTP while other browser treat the new line beginning with space as the continuation of the previous header. This can lead to header injection or content injection (basically, XSS) in IE.
PHP’s documentation (http://php.net/manual/en/function.header.php) explicitly states that since version 5.2.1 PHP natively prevents header injections:
This function now prevents more than one header to be sent at once as a protection against header injection attacks.
My understanding is t hat the corresponding upstream commit can be found at https://github.com/php/php-src/commit/996faf964bba1aec06b153b370a7f20d3dd2bb8b This has been patched in PHP 5.6.6, 5.5.22 and 5.4.38, since some distributions ship older versions and have not backported this we’re therefore kindly requesting a CVE identifier and making OSS Security aware of this. An issue directly to Ubuntu has been filed at https://bugs.launchpad.net/ubuntu/+source/php5/+bug/1594041 for 14.04. Thanks, Lukas
Current thread:
- CVE request for PHP bug #68978: "XSS in header() with Internet Explorer" (2015) Lukas Reschke (Jun 20)