Debian Bug report logs -
#354683
PHP4 in Sarge appears vulnerable to CVE-2006-0207
Reported by: "Nick Jenkins" <nickpj@gmail.com>
Date: Tue, 28 Feb 2006 04:48:19 UTC
Severity: normal
Tags: security
Found in version 4:4.3.10-16
Fixed in version php4/4:4.4.2
Done: Steve Langasek <vorlon@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded to debian-bugs-dist@lists.debian.org, Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>:
Bug#354683; Package php4.
(full text, mbox, link).
Acknowledgement sent to "Nick Jenkins" <nickpj@gmail.com>:
New Bug report received and forwarded. Copy sent to Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>.
(full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: php4
Version: 4:4.3.10-16
Severity: normal
Tags: security
Ref:
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0207
Description:
Multiple HTTP response splitting vulnerabilities in PHP 5.1.1 allow remote
attackers to inject arbitrary HTTP headers via a crafted Set-Cookie header,
related to the (1) session extension (aka ext/session) and the (2) header
function.
Vulnerable PHP versions:
CVE report lists 5.1.1, however versions prior to PHP version 4.4.2
are also vulnerable according to:
http://www.frsirt.com/english/advisories/2006/0177
Bug marked as fixed in version 4:4.4.2, send any further explanations to "Nick Jenkins" <nickpj@gmail.com>
Request was from Steve Langasek <vorlon@debian.org>
to control@bugs.debian.org.
(full text, mbox, link).
Information forwarded to debian-bugs-dist@lists.debian.org, Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>:
Bug#354683; Package php4.
(full text, mbox, link).
Acknowledgement sent to Iosif Peterfi <iosif.peterfi@fortesys.ro>:
Extra info received and forwarded to list. Copy sent to Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>.
(full text, mbox, link).
Message #12 received at 354683@bugs.debian.org (full text, mbox, reply):
Debian 3.1 sid stable is affected ? If it is, when will be patched ?
Information forwarded to debian-bugs-dist@lists.debian.org, Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>:
Bug#354683; Package php4.
(full text, mbox, link).
Acknowledgement sent to Iosif Peterfi <iosif.peterfi@fortesys.ro>:
Extra info received and forwarded to list. Copy sent to Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>.
(full text, mbox, link).
Message #17 received at 354683@bugs.debian.org (full text, mbox, reply):
i meant Debian stable (sarge)
Bug marked as not found in version 4:4.3.10-16.
Request was from "Michal Pokrywka" <mpokrywka@hoga.pl>
to control@bugs.debian.org.
(full text, mbox, link).
Information forwarded to debian-bugs-dist@lists.debian.org, Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>:
Bug#354683; Package php4.
(full text, mbox, link).
Acknowledgement sent to Moritz Naumann <info@moritz-naumann.com>:
Extra info received and forwarded to list. Copy sent to Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>.
(full text, mbox, link).
Message #24 received at 354683@bugs.debian.org (full text, mbox, reply):
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi!
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=354683;msg=19
and
http://idssi.enyo.de/tracker/CVE-2006-0207
claim CVE-2006-0207 would not apply to sarges' 4.3.10-16. However, it
does apply.
The false assumption that the advisory by Stefan Esser (Hardened PHP) at
http://www.hardened-php.net/advisory_012006.112.html would cover both
vectors of CVE-2006-0207, has likely led to an incorrect conclusion of
assuming that CVE-2006-0207 would not affect sarge. However, by my
understanding, this advisory only covers the session injection vector
(vector 1 as mentioned in CVE-2006-0207), not the header() injection
issue (vector 2 as mentioned in CVE-2006-0207) which affects upstream
PHP4 < 4.4.2 and PHP5 < 5.1.2, and also affects sarges' 4.3.10-16.
PoC:
echo '<?php header("Location: http://example.org/".$_GET["x"]); ?>' \
> /var/www/header.php
Then direct your web browser to
http://MYDEFAULTHOST/header.php?x=%0d%0aLocation:%20javascript:alert(0);%0d%0aContent-Type:%20text/html%0d%0a%0d%0a%3Cscript%3Ealert(0);%3C/script%3EVulnerable%20PHP%20version%20detected.%3C!--
(obviously, replace MYDEFAULTHOST by whatever (virtual)host you can
access this script through).
If vulnerable, this should return one or two javascript warnings saying
'0' or a client (not PHP!) error with most HTTP clients. You should also
see a page saying "Vulnerable PHP version detected." if you're vulnerable.
Moritz
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (GNU/Linux)
iD8DBQFE4RDHn6GkvSd/BgwRAkqpAKCVi+1XydxeVv9JIEHz7SHVz2bDwQCdFx90
t2YSPZOcP4PKl8g057KJGcU=
=exFc
-----END PGP SIGNATURE-----
Bug marked as found in version 4:4.3.10-16.
Request was from Moritz Naumann <bugs.debian.org@moritz-naumann.com>
to control@bugs.debian.org.
(full text, mbox, link).
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Tue, 26 Jun 2007 20:13:04 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Sun Jul 2 02:14:48 2023;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.