Risk | Medium |
Patch available | YES |
Number of vulnerabilities | 2 |
CVE-ID | CVE-2011-1398 CVE-2012-1172 |
CWE-ID | CWE-20 |
Exploitation vector | Network |
Public exploit | Public exploit code for vulnerability #1 is available. |
Vulnerable software Subscribe |
PHP Universal components / Libraries / Scripting languages |
Vendor | PHP Group |
Security Bulletin
This security bulletin contains information about 2 vulnerabilities.
EUVDB-ID: #VU43654
Risk: Medium
CVSSv3.1: 4.8 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N/E:P/RL:O/RC:C]
CVE-ID: CVE-2011-1398
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: Yes
DescriptionThe vulnerability allows a remote non-authenticated attacker to manipulate data.
The sapi_header_op function in main/SAPI.c in PHP before 5.3.11 and 5.4.x before 5.4.0RC2 does not check for %0D sequences (aka carriage return characters), which allows remote attackers to bypass an HTTP response-splitting protection mechanism via a crafted URL, related to improper interaction between the PHP header function and certain browsers, as demonstrated by Internet Explorer and Google Chrome.
MitigationInstall update from vendor's website.
Vulnerable software versionsPHP: 5.3.0 - 5.3.9
External linkshttp://article.gmane.org/gmane.comp.php.devel/70584
http://lists.opensuse.org/opensuse-security-announce/2013-08/msg00006.html
http://openwall.com/lists/oss-security/2012/08/29/5
http://openwall.com/lists/oss-security/2012/09/05/15
http://rhn.redhat.com/errata/RHSA-2013-1307.html
http://secunia.com/advisories/55078
http://security-tracker.debian.org/tracker/CVE-2011-1398
http://www.securitytracker.com/id?1027463
http://www.ubuntu.com/usn/USN-1569-1
http://bugs.php.net/bug.php?id=60227
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
EUVDB-ID: #VU44053
Risk: Medium
CVSSv3.1: 5.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L/E:U/RL:O/RC:C]
CVE-ID: CVE-2012-1172
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote non-authenticated attacker to manipulate or delete data.
The file-upload implementation in rfc1867.c in PHP before 5.4.0 does not properly handle invalid [ (open square bracket) characters in name values, which makes it easier for remote attackers to cause a denial of service (malformed $_FILES indexes) or conduct directory traversal attacks during multi-file uploads by leveraging a script that lacks its own filename restrictions.
MitigationInstall update from vendor's website.
Vulnerable software versionsPHP: 5.0.0 - 5.3.9
External linkshttp://isisblogs.poly.edu/2011/08/11/php-not-properly-checking-params/
http://lists.apple.com/archives/security-announce/2012/Sep/msg00004.html
http://lists.fedoraproject.org/pipermail/package-announce/2012-May/080037.html
http://lists.fedoraproject.org/pipermail/package-announce/2012-May/080041.html
http://lists.fedoraproject.org/pipermail/package-announce/2012-May/080070.html
http://lists.opensuse.org/opensuse-security-announce/2012-05/msg00007.html
http://lists.opensuse.org/opensuse-security-announce/2012-05/msg00011.html
http://marc.info/?l=bugtraq&m=134012830914727&w=2
http://openwall.com/lists/oss-security/2012/03/13/4
http://support.apple.com/kb/HT5501
http://svn.php.net/viewvc/php/php-src/branches/PHP_5_4/main/rfc1867.c?r1=321664&r2=321663&pathrev=321664
http://svn.php.net/viewvc?view=revision&revision=321664
http://www.debian.org/security/2012/dsa-2465
http://www.php.net/ChangeLog-5.php#5.4.0
http://bugs.php.net/bug.php?id=48597
http://bugs.php.net/bug.php?id=49683
http://bugs.php.net/bug.php?id=54374
http://bugs.php.net/bug.php?id=55500
http://nealpoole.com/blog/2011/10/directory-traversal-via-php-multi-file-uploads/
http://students.mimuw.edu.pl/~ai292615/php_multipleupload_overwrite.pdf
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.