oss-sec mailing list archives
Re: Re: php header() header injection detection bypass
From: Raphael Geissert <geissert () debian org>
Date: Thu, 6 Sep 2012 20:56:24 -0500
On Wednesday 05 September 2012 12:05:43 cve-assign () mitre org wrote: [...]
In the actual situation, the https://bugs.php.net/patch-display.php?bug_id=60227&patch=SAPI.diff&revis ion=1320563128 patch had a logic flaw related to the "((p = memchr(s, '\n', (e - s))) || (p = memchr(s, '\r', (e - s))))" expression. MITRE prefers to categorize this type of situation as an "incorrect fix" not an "incomplete fix." Admittedly, for many CVE users it doesn't matter.
You are indeed right, it is is better to categorize it as an incorrect fix.
Note 2: We probably haven't found the exact affected 5.4.0RC versions, but this doesn't matter much because those versions aren't widely used. Specifically, we don't know whether there's a supported download location for every pre-release version that ever existed, but we happened to find the http://php.marvel.strk.jp/archive/ directory. Here, 5.4.0alpha3 (August 2011) does not check for '\r' at all, whereas 5.4.0RC2 (December 2011) can check for '\r' but has the above-mentioned logic flaw. This is consistent with the 2011-11-06 SVN date listed in bug 60227.
Since RCs and alphas are published in user dirs, and not in the main release system, I don't think they are actively archived. However, taking a look at the 5.4.0RC1 tag in git, it seems the issue was indeed introduced in RC2: https://github.com/php/php-src/blob/php-5.4.0RC1/main/SAPI.c#L715 And to confirm it in RC2: https://github.com/php/php-src/blob/php-5.4.0RC2/main/SAPI.c#L715 Regards, -- Raphael Geissert - Debian Developer www.debian.org - get.debian.net
Current thread:
- php header() header injection detection bypass Raphael Geissert (Aug 29)
- Re: php header() header injection detection bypass Kurt Seifried (Aug 31)
- Re: php header() header injection detection bypass Raphael Geissert (Aug 31)
- Re: php header() header injection detection bypass Kurt Seifried (Sep 01)
- Re: php header() header injection detection bypass Eygene Ryabinkin (Sep 04)
- Re: php header() header injection detection bypass cve-assign (Sep 04)
- Re: Re: php header() header injection detection bypass Raphael Geissert (Sep 04)
- Re: php header() header injection detection bypass cve-assign (Sep 05)
- Re: Re: php header() header injection detection bypass Raphael Geissert (Sep 06)
- Re: php header() header injection detection bypass Raphael Geissert (Aug 31)
- Re: Re: php header() header injection detection bypass Eygene Ryabinkin (Sep 04)
- Re: php header() header injection detection bypass Kurt Seifried (Aug 31)