oss-sec mailing list archives
Re: CVE request for PHP bug #68978: "XSS in header() with Internet Explorer" (2015)
From: cve-assign () mitre org
Date: Tue, 21 Jun 2016 08:00:53 -0400 (EDT)
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
PHP security bug #68978 (https://bugs.php.net/bug.php?id=68978) also warrants a CVE identifier:
The filtering in header() function is not sufficient and this can lead to header injection and content injection (XSS) when the client is Internet Explorer (in every tested version).
IE accepts %0A%20 or %0D%0A%20 as separator in HTTP while other browser treat the new line beginning with space as the continuation of the previous header. This can lead to header injection or content injection (basically, XSS) in IE.
PHP's documentation (http://php.net/manual/en/function.header.php) explicitly states that since version 5.2.1 PHP natively prevents header injections:
This function now prevents more than one header to be sent at once as a protection against header injection attacks.
My understanding is that the corresponding upstream commit can be found at https://github.com/php/php-src/commit/996faf964bba1aec06b153b370a7f20d3dd2bb8b
Use CVE-2015-8935. - -- CVE Assignment Team M/S M300, 202 Burlington Road, Bedford, MA 01730 USA [ A PGP key is available for encrypted communications at http://cve.mitre.org/cve/request_id.html ] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBCAAGBQJXaSwPAAoJEHb/MwWLVhi2PwAP/RxDG+I/240T4Bof1AeJd/0e h4da07InmmtISwUyEQJQVJMnZt+A0ewrwn+Ipdm8haaqwO3fsIrm0eRk2HR8VZQE Wf7cq1FIPaIwCTaAAEBOpMhXN3/A/GnOJC8gzKFZIvbDTFbs8F6kE6JBB3E52B07 G940pVZtWNjhyeloo543q2Xt0eFy1CmFqxsf3vTQHgXU1y+twgpW9fd1kbyfz70t Cj53kZW8jcShxLzCc6nDeT91sBWM54v24h8zAiUCLMLCDvahfYzfOqqXRZHhEhcc sSkft1FdBO8ED4FXZ8r1n6hRdMrrbi2Y0DNxCxoEm77Yz6gqMg267RqxHbLdBVK+ 5f2WOc1Xhy3K09ORxjlu0fgqnSp9MhEwaQqo1oOu9xgQNvjKbn4gulSTH68St35h 6zISQrWWYO/T9g/G+dEF/K/oNrjwfvhLdiGd4Np4GA/Z3rmBREXNCpjZ8lYQzZrk YoGWg5xSCkcy0W9uh0H6A/d9aDRKxixATbOx7HvaxeAB6jd7Xgr4Jlq7bbLPu1qu IqPrlNfES06j/06CFtdee6iPcBLz80gM/A5yxQ5fi/+nakkhb7PWYBQc9ilkChkq 3DLtFno9zuERUN1skN2lsfSB8/dCWuhtzlCJFAENgw7BE3CkSDQ/x6oW7ELSK39k mP+W41Ni4/lIlRuf8zZn =0A1M -----END PGP SIGNATURE-----
Current thread:
- CVE request for PHP bug #68978: "XSS in header() with Internet Explorer" (2015) Lukas Reschke (Jun 20)
- Re: CVE request for PHP bug #68978: "XSS in header() with Internet Explorer" (2015) cve-assign (Jun 21)