oss-sec mailing list archives

Re: CVE request for PHP bug #68978: "XSS in header() with Internet Explorer" (2015)

From: cve-assign () mitre org
Date: Tue, 21 Jun 2016 08:00:53 -0400 (EDT)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

PHP security bug #68978 (https://bugs.php.net/bug.php?id=68978) also
warrants a CVE identifier:

The filtering in header() function is not sufficient and this can
lead to header injection and content injection (XSS) when the client
is Internet Explorer (in every tested version).

IE accepts %0A%20 or %0D%0A%20 as separator in HTTP while other
browser treat the new line beginning with space as the continuation
of the previous header. This can lead to header injection or content
injection (basically, XSS) in IE.

PHP's documentation (http://php.net/manual/en/function.header.php)
explicitly states that since version 5.2.1 PHP natively prevents
header injections:

This function now prevents more than one header to be sent at once
as a protection against header injection attacks.

My understanding is that the corresponding upstream commit can be
found at
https://github.com/php/php-src/commit/996faf964bba1aec06b153b370a7f20d3dd2bb8b


Use CVE-2015-8935.

- -- 
CVE Assignment Team
M/S M300, 202 Burlington Road, Bedford, MA 01730 USA
[ A PGP key is available for encrypted communications at
  http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJXaSwPAAoJEHb/MwWLVhi2PwAP/RxDG+I/240T4Bof1AeJd/0e
h4da07InmmtISwUyEQJQVJMnZt+A0ewrwn+Ipdm8haaqwO3fsIrm0eRk2HR8VZQE
Wf7cq1FIPaIwCTaAAEBOpMhXN3/A/GnOJC8gzKFZIvbDTFbs8F6kE6JBB3E52B07
G940pVZtWNjhyeloo543q2Xt0eFy1CmFqxsf3vTQHgXU1y+twgpW9fd1kbyfz70t
Cj53kZW8jcShxLzCc6nDeT91sBWM54v24h8zAiUCLMLCDvahfYzfOqqXRZHhEhcc
sSkft1FdBO8ED4FXZ8r1n6hRdMrrbi2Y0DNxCxoEm77Yz6gqMg267RqxHbLdBVK+
5f2WOc1Xhy3K09ORxjlu0fgqnSp9MhEwaQqo1oOu9xgQNvjKbn4gulSTH68St35h
6zISQrWWYO/T9g/G+dEF/K/oNrjwfvhLdiGd4Np4GA/Z3rmBREXNCpjZ8lYQzZrk
YoGWg5xSCkcy0W9uh0H6A/d9aDRKxixATbOx7HvaxeAB6jd7Xgr4Jlq7bbLPu1qu
IqPrlNfES06j/06CFtdee6iPcBLz80gM/A5yxQ5fi/+nakkhb7PWYBQc9ilkChkq
3DLtFno9zuERUN1skN2lsfSB8/dCWuhtzlCJFAENgw7BE3CkSDQ/x6oW7ELSK39k
mP+W41Ni4/lIlRuf8zZn
=0A1M
-----END PGP SIGNATURE-----

Current thread:

CVE request for PHP bug #68978: "XSS in header() with Internet Explorer" (2015) Lukas Reschke (Jun 20)
- Re: CVE request for PHP bug #68978: "XSS in header() with Internet Explorer" (2015) cve-assign (Jun 21)