CVE-2011-1398 - OpenCVE

The sapi_header_op function in main/SAPI.c in PHP before 5.3.11 and 5.4.x before 5.4.0RC2 does not check for %0D sequences (aka carriage return characters), which allows remote attackers to bypass an HTTP response-splitting protection mechanism via a crafted URL, related to improper interaction between the PHP header function and certain browsers, as demonstrated by Internet Explorer and Google Chrome.

No CVSS v3.1

No CVSS v3.0

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

AV:N/AC:M/Au:N/C:N/I:P/A:N

Vendors & Products
CPE Configurations

Vendors	Products
Php	Php

Configuration 1 [-]

OR	cpe:2.3:a:php:php::::::::
	cpe:2.3:a:php:php:5.3.0:::::::*
	cpe:2.3:a:php:php:5.3.1:::::::*
	cpe:2.3:a:php:php:5.3.2:::::::*
	cpe:2.3:a:php:php:5.3.3:::::::*
	cpe:2.3:a:php:php:5.3.4:::::::*
	cpe:2.3:a:php:php:5.3.5:::::::*
	cpe:2.3:a:php:php:5.3.6:::::::*
	cpe:2.3:a:php:php:5.3.7:::::::*
	cpe:2.3:a:php:php:5.3.8:::::::*
	cpe:2.3:a:php:php:5.3.9:::::::*

References

Link	Resource
http://article.gmane.org/gmane.comp.php.devel/70584
http://lists.opensuse.org/opensuse-security-announce/2013-08/msg00006.html
http://openwall.com/lists/oss-security/2012/08/29/5
http://openwall.com/lists/oss-security/2012/09/05/15
http://rhn.redhat.com/errata/RHSA-2013-1307.html
http://secunia.com/advisories/55078
http://security-tracker.debian.org/tracker/CVE-2011-1398
http://www.securitytracker.com/id?1027463
http://www.ubuntu.com/usn/USN-1569-1
https://bugs.php.net/bug.php?id=60227

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: mitre

Published: 2012-08-30T22:00:00

Updated: 2012-09-13T09:00:00

Reserved: 2011-03-10T00:00:00

Link: CVE-2011-1398

JSON object: View

NVD Information

Status : Modified

Published: 2012-08-30T22:55:02.497

Modified: 2013-10-11T03:34:31.370

Link: CVE-2011-1398

JSON object: View

Redhat Information

No data.

CWE

CWE-20

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2012-02-03T00:00:00", "descriptions": [{"lang": "en", "value": "The sapi_header_op function in main/SAPI.c in PHP before 5.3.11 and 5.4.x before 5.4.0RC2 does not check for %0D sequences (aka carriage return characters), which allows remote attackers to bypass an HTTP response-splitting protection mechanism via a crafted URL, related to improper interaction between the PHP header function and certain browsers, as demonstrated by Internet Explorer and Google Chrome."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2012-09-13T09:00:00", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"name": "[oss-security] 20120905 Re: php header() header injection detection bypass", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "http://openwall.com/lists/oss-security/2012/09/05/15"}, {"tags": ["x_refsource_CONFIRM"], "url": "http://security-tracker.debian.org/tracker/CVE-2011-1398"}, {"name": "1027463", "tags": ["vdb-entry", "x_refsource_SECTRACK"], "url": "http://www.securitytracker.com/id?1027463"}, {"name": "55078", "tags": ["third-party-advisory", "x_refsource_SECUNIA"], "url": "http://secunia.com/advisories/55078"}, {"tags": ["x_refsource_MISC"], "url": "https://bugs.php.net/bug.php?id=60227"}, {"name": "RHSA-2013:1307", "tags": ["vendor-advisory", "x_refsource_REDHAT"], "url": "http://rhn.redhat.com/errata/RHSA-2013-1307.html"}, {"name": "[oss-security] 20120829 php header() header injection detection bypass", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "http://openwall.com/lists/oss-security/2012/08/29/5"}, {"name": "SUSE-SU-2013:1315", "tags": ["vendor-advisory", "x_refsource_SUSE"], "url": "http://lists.opensuse.org/opensuse-security-announce/2013-08/msg00006.html"}, {"name": "[internals] 20120203 [PHP-DEV] The case of HTTP response splitting protection in PHP", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "http://article.gmane.org/gmane.comp.php.devel/70584"}, {"name": "USN-1569-1", "tags": ["vendor-advisory", "x_refsource_UBUNTU"], "url": "http://www.ubuntu.com/usn/USN-1569-1"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2011-1398", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "The sapi_header_op function in main/SAPI.c in PHP before 5.3.11 and 5.4.x before 5.4.0RC2 does not check for %0D sequences (aka carriage return characters), which allows remote attackers to bypass an HTTP response-splitting protection mechanism via a crafted URL, related to improper interaction between the PHP header function and certain browsers, as demonstrated by Internet Explorer and Google Chrome."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "[oss-security] 20120905 Re: php header() header injection detection bypass", "refsource": "MLIST", "url": "http://openwall.com/lists/oss-security/2012/09/05/15"}, {"name": "http://security-tracker.debian.org/tracker/CVE-2011-1398", "refsource": "CONFIRM", "url": "http://security-tracker.debian.org/tracker/CVE-2011-1398"}, {"name": "1027463", "refsource": "SECTRACK", "url": "http://www.securitytracker.com/id?1027463"}, {"name": "55078", "refsource": "SECUNIA", "url": "http://secunia.com/advisories/55078"}, {"name": "https://bugs.php.net/bug.php?id=60227", "refsource": "MISC", "url": "https://bugs.php.net/bug.php?id=60227"}, {"name": "RHSA-2013:1307", "refsource": "REDHAT", "url": "http://rhn.redhat.com/errata/RHSA-2013-1307.html"}, {"name": "[oss-security] 20120829 php header() header injection detection bypass", "refsource": "MLIST", "url": "http://openwall.com/lists/oss-security/2012/08/29/5"}, {"name": "SUSE-SU-2013:1315", "refsource": "SUSE", "url": "http://lists.opensuse.org/opensuse-security-announce/2013-08/msg00006.html"}, {"name": "[internals] 20120203 [PHP-DEV] The case of HTTP response splitting protection in PHP", "refsource": "MLIST", "url": "http://article.gmane.org/gmane.comp.php.devel/70584"}, {"name": "USN-1569-1", "refsource": "UBUNTU", "url": "http://www.ubuntu.com/usn/USN-1569-1"}]}}}}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2011-1398", "datePublished": "2012-08-30T22:00:00", "dateReserved": "2011-03-10T00:00:00", "dateUpdated": "2012-09-13T09:00:00", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:php:php:*:*:*:*:*:*:*:*", "matchCriteriaId": "967EAC47-405C-4AA9-AC96-D3D750029AD0", "versionEndIncluding": "5.3.10", "vulnerable": true}, {"criteria": "cpe:2.3:a:php:php:5.3.0:*:*:*:*:*:*:*", "matchCriteriaId": "9EF4B938-BB14-4C06-BEE9-10CA755C5DEF", "vulnerable": true}, {"criteria": "cpe:2.3:a:php:php:5.3.1:*:*:*:*:*:*:*", "matchCriteriaId": "981C922C-7A7D-473E-8C43-03AB62FB5B8B", "vulnerable": true}, {"criteria": "cpe:2.3:a:php:php:5.3.2:*:*:*:*:*:*:*", "matchCriteriaId": "5D0CD11A-09C2-4C60-8F0C-68E55BD6EE63", "vulnerable": true}, {"criteria": "cpe:2.3:a:php:php:5.3.3:*:*:*:*:*:*:*", "matchCriteriaId": "B0F40E4A-E125-4099-A8B3-D42614AA9312", "vulnerable": true}, {"criteria": "cpe:2.3:a:php:php:5.3.4:*:*:*:*:*:*:*", "matchCriteriaId": "4933D9DD-A630-4A3D-9D13-9E182F5F6F8C", "vulnerable": true}, {"criteria": "cpe:2.3:a:php:php:5.3.5:*:*:*:*:*:*:*", "matchCriteriaId": "A9E6D530-91FC-42F4-A427-6601238E0187", "vulnerable": true}, {"criteria": "cpe:2.3:a:php:php:5.3.6:*:*:*:*:*:*:*", "matchCriteriaId": "9EC938DB-E066-407F-BDF8-61A1C41136F7", "vulnerable": true}, {"criteria": "cpe:2.3:a:php:php:5.3.7:*:*:*:*:*:*:*", "matchCriteriaId": "ACDF768D-7F5A-4042-B7DD-398F65F3F094", "vulnerable": true}, {"criteria": "cpe:2.3:a:php:php:5.3.8:*:*:*:*:*:*:*", "matchCriteriaId": "2AF35BB6-C6B1-4683-A8BE-AA72CC34F5B5", "vulnerable": true}, {"criteria": "cpe:2.3:a:php:php:5.3.9:*:*:*:*:*:*:*", "matchCriteriaId": "EC3F1891-032D-409C-904C-A415D2323DFC", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "The sapi_header_op function in main/SAPI.c in PHP before 5.3.11 and 5.4.x before 5.4.0RC2 does not check for %0D sequences (aka carriage return characters), which allows remote attackers to bypass an HTTP response-splitting protection mechanism via a crafted URL, related to improper interaction between the PHP header function and certain browsers, as demonstrated by Internet Explorer and Google Chrome."}, {"lang": "es", "value": "La funci\u00f3n sapi_header_op en el archivo main/SAPI.c en PHP anterior a versi\u00f3n 5.3.11 y versiones 5.4.x anteriores a 5.4.0RC2, no comprueba si hay secuencias de %0D (tambi\u00e9n se conoce como caracteres de retorno de acarreo), lo que permite a atacantes remotos omitir un mecanismo de protecci\u00f3n de divisi\u00f3n de respuesta HTTP por medio de una URL dise\u00f1ada, relacionada con la interacci\u00f3n inapropiada entre la funci\u00f3n de PHP header y ciertos navegadores, como es demostrado por Internet Explorer y Google Chrome."}], "id": "CVE-2011-1398", "lastModified": "2013-10-11T03:34:31.370", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 4.3, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}]}, "published": "2012-08-30T22:55:02.497", "references": [{"source": "cve@mitre.org", "url": "http://article.gmane.org/gmane.comp.php.devel/70584"}, {"source": "cve@mitre.org", "url": "http://lists.opensuse.org/opensuse-security-announce/2013-08/msg00006.html"}, {"source": "cve@mitre.org", "url": "http://openwall.com/lists/oss-security/2012/08/29/5"}, {"source": "cve@mitre.org", "url": "http://openwall.com/lists/oss-security/2012/09/05/15"}, {"source": "cve@mitre.org", "url": "http://rhn.redhat.com/errata/RHSA-2013-1307.html"}, {"source": "cve@mitre.org", "url": "http://secunia.com/advisories/55078"}, {"source": "cve@mitre.org", "url": "http://security-tracker.debian.org/tracker/CVE-2011-1398"}, {"source": "cve@mitre.org", "url": "http://www.securitytracker.com/id?1027463"}, {"source": "cve@mitre.org", "url": "http://www.ubuntu.com/usn/USN-1569-1"}, {"source": "cve@mitre.org", "url": "https://bugs.php.net/bug.php?id=60227"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-20"}], "source": "nvd@nist.gov", "type": "Primary"}]}