DescriptionThe sapi_header_op function in main/SAPI.c in PHP before 5.3.11 and 5.4.x before 5.4.0RC2 does not check for %0D sequences (aka carriage return characters), which allows remote attackers to bypass an HTTP response-splitting protection mechanism via a crafted URL, related to improper interaction between the PHP header function and certain browsers, as demonstrated by Internet Explorer and Google Chrome.
SourceCVE (at NVD; oss-sec, fulldisc, OSVDB, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SuSE, Mageia, web search, more)
NVD severitymedium (attack range: remote)
Debian/oldoldstablepackage php5 is vulnerable.
Debian/oldstablenot vulnerable.
Debian/stablenot vulnerable.
Debian/testingnot vulnerable.
Debian/unstablenot vulnerable.

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
php5 (PTS)squeeze, squeeze (security)5.3.3-7+squeeze19vulnerable
squeeze (lts)
wheezy (security)5.4.45-0+deb7u2fixed
jessie (security)5.6.14+dfsg-0+deb8u1fixed
stretch, sid5.6.15+dfsg-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs


[squeeze] - php5 <no-dsa> (Minor issue)

Search for package or bug name: Reporting problems