Title: PHP Header Function Script Injection Vulnerability
Severity: HIGH
Description:
PHP is a freely available, open source web scripting language package. It is available for Microsoft Windows, Linux, and Unix operating systems.
A problem with PHP may make it possible to execute arbitrary script code.
It has been reported that a vulnerability in the PHP header function exists. It may be possible for a user to supply arbitrary script code in an URL that would allow the injection of script code into the HTTP header.
In such a scenario, a piece of code using the header function as in the following example would be vulnerable:
<?php header("Location: $_GET['$url']"); ?>
This problem could lead to the execution of arbitrary script code in the security context of the redirected site.
Affected Products:
- EnGarde Secure Linux 1.0.1
- MandrakeSoft Corporate Server 2.1.0
- MandrakeSoft Corporate Server 2.1.0 x86_64
- MandrakeSoft Linux Mandrake 9.0.0
- PHP PHP 4.2.3
- Turbolinux Turbolinux Server 7.0.0
- Turbolinux Turbolinux Server 8.0.0
- Turbolinux Turbolinux Workstation 7.0.0
- Turbolinux Turbolinux Workstation 8.0.0
References:
- PHP Group: PHP Homepage
Juniper Networks provides this content via a wide variety of sources and production methods. If notified of errors or omissions in the content of this page, Juniper Networks, at its discretion, will modify or remove the page or leave the content as is, depending on various factors including but not limited to the reputation and authority of the party providing the notification. Please use the contact information displayed elsewhere on this page to report any errors or omissions regarding the content on this page.
