[php-maint] Re: php4 security issues, the complete works (vol 2)

Stefan Fritsch sf at sfritsch.de
Sun Sep 10 15:42:07 UTC 2006


On Sunday 10 September 2006 17:02, sean finney wrote:
> *CVE-2006-0207: needs further research:
> 	text:
> 	Multiple HTTP response splitting vulnerabilities in PHP 5.1.1
> 	allow remote attackers to inject arbitrary HTTP headers via a
> 	crafted Set-Cookie header, related to the (1) session extension
> 	(aka ext/session) and the (2) header function.
> 	background:
> 	this bug was marked closed in the security tracker, but later it
> 	was revealed that sarge might still be affected.  see
> 	http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=354683
> 	for more information.

I have verified that the PoC in the bug report works with php4 from 
sarge. With firefox it can be used to do XSS (konqueror just gives an 
error message in this particular case). I think that such redirector 
scriptlets that feed a request parameter into a Location-header 
appear frequently in webapps. So I argue this should be fixed.

CVE-2005-3390 is register_globals=on only. It seems to be quite 
severe, though, so maybe it should be fixed nonetheless.

BTW, wouldn't it make sense to formalize the security policy for php 
(no register_globals, no safe_mode, no open_basedir) and put it into 
the php package descriptions, README.Debians, and php.ini-comments 
for etch?

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://lists.alioth.debian.org/pipermail/pkg-php-maint/attachments/20060910/501c13aa/attachment.pgp

More information about the pkg-php-maint mailing list