4.3 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:N/I:P/A:N
0.013 Low
EPSS
Percentile
85.5%
Rui Hirokawa reports:
As of PHP 5.1.2, header() can no longer be used to send
multiple response headers in a single call to prevent the
HTTP Response Splitting Attack. header() only checks the
linefeed (LF, 0x0A) as line-end marker, it doesn’t check the
carriage-return (CR, 0x0D).
However, some browsers including Google Chrome, IE also
recognize CR as the line-end.
The current specification of header() still has the
vulnerability against the HTTP header splitting attack.