[php-maint] Re: php4 security issues, the complete works (vol 2)
Stefan Fritsch
sf at sfritsch.de
Sun Sep 10 15:42:07 UTC 2006
Hi,
On Sunday 10 September 2006 17:02, sean finney wrote:
> *CVE-2006-0207: needs further research:
> text:
> Multiple HTTP response splitting vulnerabilities in PHP 5.1.1
> allow remote attackers to inject arbitrary HTTP headers via a
> crafted Set-Cookie header, related to the (1) session extension
> (aka ext/session) and the (2) header function.
>
> background:
> this bug was marked closed in the security tracker, but later it
> was revealed that sarge might still be affected. see
> http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=354683
> for more information.
I have verified that the PoC in the bug report works with php4 from
sarge. With firefox it can be used to do XSS (konqueror just gives an
error message in this particular case). I think that such redirector
scriptlets that feed a request parameter into a Location-header
appear frequently in webapps. So I argue this should be fixed.
CVE-2005-3390 is register_globals=on only. It seems to be quite
severe, though, so maybe it should be fixed nonetheless.
BTW, wouldn't it make sense to formalize the security policy for php
(no register_globals, no safe_mode, no open_basedir) and put it into
the php package descriptions, README.Debians, and php.ini-comments
for etch?
Cheers,
Stefan
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://lists.alioth.debian.org/pipermail/pkg-php-maint/attachments/20060910/501c13aa/attachment.pgp
More information about the pkg-php-maint
mailing list