Cross site scripting

The sapiheaderop function in main/SAPI.c in PHP before 5.4.38, 5.5.x before 5.5.22, and 5.6.x before 5.6.6 supports deprecated line folding without considering browser compatibility, which allows remote attackers to conduct cross-site scripting XSS attacks against Internet Explorer by leveraging ...

PHP 5.4.0RC2-5.4.0 'main/SAPI.c' HTTP标头注入漏洞

BUGTRAQ ID: 55527 CVE ID: CVE-2012-4388 PHP是一种HTML内嵌式的语言，PHP与微软的ASP颇有几分相似，都是一种在服务器端执行的嵌入HTML文档的脚本语言，语言的风格有类似于C语言，现在被很多的网站编程人员广泛的运用。 PHP 5.4.0RC2-5.4.0版本的main/SAPI.c内sapiheaderop函数在检查%0D序列时没有正确确定指针，可允许远程攻击者通过特制的URL绕过HTTP响应分离保护机制，该URL相关PHP标头函数和某些浏览器直接的不恰当交互。 0 PHP 5.4.0RC2-5.4.0 厂商补丁： PHP ---...

CVE-2012-4388

The sapiheaderop function in main/SAPI.c in PHP 5.4.0RC2 through 5.4.0 does not properly determine a pointer during checks for %0D sequences aka carriage return characters, which allows remote attackers to bypass an HTTP response-splitting protection mechanism via a crafted URL, related to improp...

CVE-2012-4388

CVE-2012-4388 affects PHP’s sapi_header_op in main/SAPI.c, where the pointer handling for %0D (carriage return) sequences can bypass HTTP response-splitting protections via crafted URLs. Affected are PHP 5.4.0RC2 through 5.4.0 (and related branches noted in downstream advisories), with remediatio...

CVE-2011-1398

CVE-2011-1398 affects PHP’s SAPI handling: the sapi_header_op function in main/SAPI.c does not check for %0D (carriage return) sequences, allowing HTTP response-splitting bypass via crafted URLs. Affected versions are PHP before 5.3.11 and 5.4.x before 5.4.0RC2. The issue is described in multiple...