Multiple vulnerabilities in PHP
| Risk | Medium |
| Patch available | YES |
| Number of vulnerabilities | 2 |
| CVE-ID | CVE-2011-1398 CVE-2012-1172 |
| CWE-ID | CWE-20 |
| Exploitation vector | Network |
| Public exploit | Public exploit code for vulnerability #1 is available. |
| Vulnerable software |
PHP Universal components / Libraries / Scripting languages |
| Vendor | PHP Group |
Security Bulletin
This security bulletin contains information about 2 vulnerabilities.
1) Input validation error
EUVDB-ID: #VU43654
Risk: Medium
CVSSv4.0: 5.5 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/U:Green]
CVE-ID: CVE-2011-1398
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: Yes
DescriptionThe vulnerability allows a remote non-authenticated attacker to manipulate data.
The sapi_header_op function in main/SAPI.c in PHP before 5.3.11 and 5.4.x before 5.4.0RC2 does not check for %0D sequences (aka carriage return characters), which allows remote attackers to bypass an HTTP response-splitting protection mechanism via a crafted URL, related to improper interaction between the PHP header function and certain browsers, as demonstrated by Internet Explorer and Google Chrome.
MitigationInstall update from vendor's website.
Vulnerable software versionsPHP: 5.3.0 - 5.3.9
CPE2.3 External linkshttps://article.gmane.org/gmane.comp.php.devel/70584
https://lists.opensuse.org/opensuse-security-announce/2013-08/msg00006.html
https://openwall.com/lists/oss-security/2012/08/29/5
https://openwall.com/lists/oss-security/2012/09/05/15
https://rhn.redhat.com/errata/RHSA-2013-1307.html
https://secunia.com/advisories/55078
https://security-tracker.debian.org/tracker/CVE-2011-1398
https://www.securitytracker.com/id?1027463
https://www.ubuntu.com/usn/USN-1569-1
https://bugs.php.net/bug.php?id=60227
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
2) Input validation error
EUVDB-ID: #VU44053
Risk: Medium
CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2012-1172
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote non-authenticated attacker to manipulate or delete data.
The file-upload implementation in rfc1867.c in PHP before 5.4.0 does not properly handle invalid [ (open square bracket) characters in name values, which makes it easier for remote attackers to cause a denial of service (malformed $_FILES indexes) or conduct directory traversal attacks during multi-file uploads by leveraging a script that lacks its own filename restrictions.
MitigationInstall update from vendor's website.
Vulnerable software versionsPHP: 5.0.0 - 5.3.9
CPE2.3- cpe:2.3:a:php_group:php:5.0.5:*:*:*:*:*:*:*
- cpe:2.3:a:php_group:php:5.1.6:*:*:*:*:*:*:*
- cpe:2.3:a:php_group:php:5.2.17:*:*:*:*:*:*:*
https://isisblogs.poly.edu/2011/08/11/php-not-properly-checking-params/
https://lists.apple.com/archives/security-announce/2012/Sep/msg00004.html
https://lists.fedoraproject.org/pipermail/package-announce/2012-May/080037.html
https://lists.fedoraproject.org/pipermail/package-announce/2012-May/080041.html
https://lists.fedoraproject.org/pipermail/package-announce/2012-May/080070.html
https://lists.opensuse.org/opensuse-security-announce/2012-05/msg00007.html
https://lists.opensuse.org/opensuse-security-announce/2012-05/msg00011.html
https://marc.info/?l=bugtraq&m=134012830914727&w=2
https://openwall.com/lists/oss-security/2012/03/13/4
https://support.apple.com/kb/HT5501
https://svn.php.net/viewvc/php/php-src/branches/PHP_5_4/main/rfc1867.c?r1=321664&r2=321663&pathrev=321664
https://svn.php.net/viewvc?view=revision&revision=321664
https://www.debian.org/security/2012/dsa-2465
https://www.php.net/ChangeLog-5.php#5.4.0
https://bugs.php.net/bug.php?id=48597
https://bugs.php.net/bug.php?id=49683
https://bugs.php.net/bug.php?id=54374
https://bugs.php.net/bug.php?id=55500
https://nealpoole.com/blog/2011/10/directory-traversal-via-php-multi-file-uploads/
https://students.mimuw.edu.pl/~ai292615/php_multipleupload_overwrite.pdf
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
