vendor:
PHP
by:
Unknown
5.5
CVSS
MEDIUM
HTTP Response Header Injection
79
CWE
Product Name: PHP
Affected Version From: PHP 5.2.3
Affected Version To: PHP 5.2.3 and prior versions, PHP 4.4.7 and prior versions
Patch Exists: YES
Related CWE: CVE-2007-1864
CPE: a:php:php
Metasploit:
https://www.rapid7.com/db/vulnerabilities/php-cve-2007-1864/, https://www.rapid7.com/db/vulnerabilities/linuxrpm-CESA-2007-0349/, https://www.rapid7.com/db/vulnerabilities/gentoo-linux-cve-2007-1864/, https://www.rapid7.com/db/vulnerabilities/suse-cve-2007-1864/, https://www.rapid7.com/db/vulnerabilities/linuxrpm-RHSA-2007-0348/, https://www.rapid7.com/db/vulnerabilities/linuxrpm-RHSA-2007-0349/, https://www.rapid7.com/db/vulnerabilities/linuxrpm-RHSA-2007-0355/, https://www.rapid7.com/db/vulnerabilities/linuxrpm-CESA-2007-0348/
Platforms Tested:
2007
HTTP Response Header Injection in PHP
PHP is prone to an HTTP-response-header-injection vulnerability because it fails to sanitize user-supplied input. An attacker can exploit this issue to inject additional cookie attributes into session cookies. This may lead to other attacks.
Mitigation:
To mitigate this vulnerability, it is recommended to sanitize and validate user-supplied input before using it in HTTP response headers.