Headline
CVE-2012-4388: security - php header() header injection detection bypass
The sapi_header_op function in main/SAPI.c in PHP 5.4.0RC2 through 5.4.0 does not properly determine a pointer during checks for %0D sequences (aka carriage return characters), which allows remote attackers to bypass an HTTP response-splitting protection mechanism via a crafted URL, related to improper interaction between the PHP header function and certain browsers, as demonstrated by Internet Explorer and Google Chrome. NOTE: this vulnerability exists because of an incorrect fix for CVE-2011-1398.
- Products
- Openwall GNU/*/Linux server OS
- Linux Kernel Runtime Guard
- John the Ripper password cracker
- Free & Open Source for any platform
- in the cloud
- Pro for Linux
- Pro for macOS
- Wordlists for password cracking
- passwdqc policy enforcement
- Free & Open Source for Unix
- Pro for Windows (Active Directory)
- yescrypt KDF & password hashing
- yespower Proof-of-Work (PoW)
- crypt_blowfish password hashing
- phpass ditto in PHP
- tcb better password shadowing
- Pluggable Authentication Modules
- scanlogd port scan detector
- popa3d tiny POP3 daemon
- blists web interface to mailing lists
- msulogin single user mode login
- php_mt_seed mt_rand() cracker
- Services
- Publications
- Articles
- Presentations
- Resources
- Mailing lists
- Community wiki
- Source code repositories (GitHub)
- Source code repositories (CVSweb)
- File archive & mirrors
- How to verify digital signatures
- OVE IDs
- What’s new
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Wed, 29 Aug 2012 13:26:34 -0500 From: Raphael Geissert <geissert@…ian.org> To: oss-security@…ts.openwall.com Subject: php header() header injection detection bypass
Hi,
Reviewing a list of CVE ids that were assigned from the Debian CNA pool, I noticed there is one [id] for php5 that hasn’t been made public yet the issue has already been re-re-reported and in this one last round finally fixed.
I’m talking about https://bugs.php.net/60227
It was independently reported by two persons but as of this time their reports (#54182 and #54006) are still hidden behind the “security bug” curtain of PHP’s bug tracker. Back when they were reported, I had assigned the following id: CVE-2011-1398 “header injection detection bypass.” Note that the id only applies to the CR bypass part of the issue.
Then it came this other report (#60227, originally reported as #60028 by the same person but tagged security, which hid it too), which lead to finally fixing the bug (but please beware of the original fix by reading [1]).
Unless I missed something, the CR bypass issue was never assigned a CVE id once it became public. Please do correct me if I’m wrong.
[1] http://article.gmane.org/gmane.comp.php.devel/70584
Cheers,
Raphael Geissert - Debian Developer www.debian.org - get.debian.net
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.