CVE-2011-1398
published 2012-08-30CVE-2011-1398: The sapi_header_op function in main/SAPI.c in PHP before 5.3.11 and 5.4.x before 5.4.0RC2 does not check for %0D sequences (aka carriage return characters)…
PriorityP431medium4.3CVSS 2.0
AVNACMAuNCNIPAN
EXPLOIT
EPSS
10.17%
95.1th percentile
The sapi_header_op function in main/SAPI.c in PHP before 5.3.11 and 5.4.x before 5.4.0RC2 does not check for %0D sequences (aka carriage return characters), which allows remote attackers to bypass an HTTP response-splitting protection mechanism via a crafted URL, related to improper interaction between the PHP header function and certain browsers, as demonstrated by Internet Explorer and Google Chrome.
Affected
19 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| canonical | ubuntu_linux | — | — |
| canonical | ubuntu_linux | — | — |
| canonical | ubuntu_linux | — | — |
| canonical | ubuntu_linux | — | — |
| canonical | ubuntu_linux | — | — |
| debian | debian_linux | — | — |
| php | php | <= 5.3.10 | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | >= 5.3.0 < 5.3.11 | 5.3.11 |
CVSS provenance
nvdv2.04.3MEDIUMAV:N/AC:M/Au:N/C:N/I:P/A:N
vendor_redhat4.3MEDIUM
vendor_ubuntu4.3MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Ubuntu
PHP vulnerabilities
vendor_ubuntu·2012-09-17·CVSS 4.3
CVE-2011-1398 [MEDIUM] PHP vulnerabilities
Title: PHP vulnerabilities
Summary: Several security issues were fixed in PHP.
It was discovered that PHP incorrectly handled certain character sequences
when applying HTTP response-splitting protection. A remote attacker could
create a specially-crafted URL and inject arbitrary headers.
(CVE-2011-1398, CVE-2012-4388)
It was discovered that PHP incorrectly handled directories with a large
number of files. This could allow a remote attacker to execute arbitrary
code with the privileges of the web server, or to perform a denial of
service. (CVE-2012-2688)
It was discovered that PHP incorrectly parsed certain PDO prepared
statements. A remote attacker could use this flaw to cause PHP to crash,
leading to a denial of service. (CVE-2012-3450)
Instructions: In general, a standard system upd
Red Hat
php: header() injection detection bypass (incorrect fix for CVE-2011-1398)
vendor_redhat·2012-09-02·CVSS 4.3
CVE-2012-4388 [MEDIUM] php: header() injection detection bypass (incorrect fix for CVE-2011-1398)
php: header() injection detection bypass (incorrect fix for CVE-2011-1398)
The sapi_header_op function in main/SAPI.c in PHP 5.4.0RC2 through 5.4.0 does not properly determine a pointer during checks for %0D sequences (aka carriage return characters), which allows remote attackers to bypass an HTTP response-splitting protection mechanism via a crafted URL, related to improper interaction between the PHP header function and certain browsers, as demonstrated by Internet Explorer and Google Chrome. NOTE: this vulnerability exists because of an incorrect fix for CVE-2011-1398.
Statement: Not vulnerable. This issue did not affect the versions of php as shipped with Red Hat Enterprise Linux 5 and 6, and the version of php53 as shipped with Red Hat Enterprise Linux 5 as they did not include the
Red Hat
PHP: sapi_header_op() %0D sequence handling security bypass
vendor_redhat·2011-11-06·CVSS 4.3
CVE-2011-1398 [MEDIUM] PHP: sapi_header_op() %0D sequence handling security bypass
PHP: sapi_header_op() %0D sequence handling security bypass
The sapi_header_op function in main/SAPI.c in PHP before 5.3.11 and 5.4.x before 5.4.0RC2 does not check for %0D sequences (aka carriage return characters), which allows remote attackers to bypass an HTTP response-splitting protection mechanism via a crafted URL, related to improper interaction between the PHP header function and certain browsers, as demonstrated by Internet Explorer and Google Chrome.
GHSA
GHSA-g6fq-45x6-cmh4: The sapi_header_op function in main/SAPI
ghsa_unreviewed·2022-05-17
CVE-2011-1398 [MEDIUM] CWE-20 GHSA-g6fq-45x6-cmh4: The sapi_header_op function in main/SAPI
The sapi_header_op function in main/SAPI.c in PHP before 5.3.11 and 5.4.x before 5.4.0RC2 does not check for %0D sequences (aka carriage return characters), which allows remote attackers to bypass an HTTP response-splitting protection mechanism via a crafted URL, related to improper interaction between the PHP header function and certain browsers, as demonstrated by Internet Explorer and Google Chrome.
GHSA
GHSA-78pr-9xh4-8h52: The sapi_header_op function in main/SAPI
ghsa_unreviewed·2022-05-17·CVSS 4.3
CVE-2012-4388 [MEDIUM] CWE-20 GHSA-78pr-9xh4-8h52: The sapi_header_op function in main/SAPI
The sapi_header_op function in main/SAPI.c in PHP 5.4.0RC2 through 5.4.0 does not properly determine a pointer during checks for %0D sequences (aka carriage return characters), which allows remote attackers to bypass an HTTP response-splitting protection mechanism via a crafted URL, related to improper interaction between the PHP header function and certain browsers, as demonstrated by Internet Explorer and Google Chrome. NOTE: this vulnerability exists because of an incorrect fix for CVE-2011-1398.
No detection rules found.
Bugzilla
CVE-2012-4388 php: header() injection detection bypass (incorrect fix for CVE-2011-1398)
bugzilla·2012-09-04·CVSS 4.3
CVE-2012-4388 [MEDIUM] CVE-2012-4388 php: header() injection detection bypass (incorrect fix for CVE-2011-1398)
CVE-2012-4388 php: header() injection detection bypass (incorrect fix for CVE-2011-1398)
Originally the CVE identifier of CVE-2011-1398 has been assigned by Common Vulnerabilities and Exposures to the following security flaw:
The sapi_header_op function in main/SAPI.c in PHP before 5.3.11 does not properly handle %0D sequences (aka carriage return characters), which allows remote attackers to bypass an HTTP response-splitting protection mechanism via a crafted URL, related to improper interaction between the PHP header function and certain browsers, as demonstrated by Internet Explorer and Google Chrome.
It was reported that the original upstream patch would not completely address the CVE-2011-1398 issue:
[1] http://www.openwall.com/lists/oss-security/2012/08/29/5
The CVE identifier of
Bugzilla
CVE-2011-1398 PHP: sapi_header_op() %0D sequence handling security bypass
bugzilla·2012-08-31·CVSS 4.3
CVE-2011-1398 [MEDIUM] CVE-2011-1398 PHP: sapi_header_op() %0D sequence handling security bypass
CVE-2011-1398 PHP: sapi_header_op() %0D sequence handling security bypass
This was originally reported by [email protected] to the PHP project.
The CVE database entry reports:
The sapi_header_op function in main/SAPI.c in PHP before 5.3.11 does
not properly handle %0D sequences (aka carriage return characters),
which allows remote attackers to bypass an HTTP response-splitting
protection mechanism via a crafted URL, related to improper
interaction between the PHP header function and certain browsers, as
demonstrated by Internet Explorer and Google Chrome.
Upstream bug and fix:
https://bugs.php.net/bug.php?id=60227
https://bugs.php.net/patch-display.php?bug_id=60227&patch=SAPI.diff&revision=latest
http://svn.php.net/viewvc/php/php-src/branches/PHP_5_4/main/SAPI.c?r1=323986&r2=32
http://article.gmane.org/gmane.comp.php.devel/70584http://lists.opensuse.org/opensuse-security-announce/2013-08/msg00006.htmlhttp://openwall.com/lists/oss-security/2012/08/29/5http://openwall.com/lists/oss-security/2012/09/05/15http://rhn.redhat.com/errata/RHSA-2013-1307.htmlhttp://secunia.com/advisories/55078http://security-tracker.debian.org/tracker/CVE-2011-1398http://www.securitytracker.com/id?1027463http://www.ubuntu.com/usn/USN-1569-1https://bugs.php.net/bug.php?id=60227http://article.gmane.org/gmane.comp.php.devel/70584http://lists.opensuse.org/opensuse-security-announce/2013-08/msg00006.htmlhttp://openwall.com/lists/oss-security/2012/08/29/5http://openwall.com/lists/oss-security/2012/09/05/15http://rhn.redhat.com/errata/RHSA-2013-1307.htmlhttp://secunia.com/advisories/55078http://security-tracker.debian.org/tracker/CVE-2011-1398http://www.securitytracker.com/id?1027463http://www.ubuntu.com/usn/USN-1569-1https://bugs.php.net/bug.php?id=60227
2012-08-30
Published