GoogleCodeExporter
commented
9 years ago You are right, the current development version is still "vulnerable".
I consider the risk very low. PHP as of 5.1.2 does not accept multiple
header-lines in one header() call [0]. We require PHP >= 5.1.0 [1], so only
5.1.0 and 5.1.1 users are affected. And only 0,00004806% of all PHP
installations still use one of these versions according to [2]. And for a good
reason: There are no security updates for PHP 5.1 since 2006, so servers
running these PHP versions most likely have known security issues in PHP itself.
And the injection can only be done by someone who is authorized (has entered
the correct password).
Of course we will fix this anyway. But it does not seem to be very urgent.
Any user of phpLiteAdmin with PHP < 5.1.2 that gives access (the password) to
people he does not trust is recommended to update PHP.
[0]
http://php.net/manual/en/function.header.php#refsect1-function.header-changelog
[1] http://code.google.com/p/phpliteadmin/
[2] http://w3techs.com/technologies/details/pl-php/5.1/allOriginal comment by crazy4ch...@gmail.com on 23 Apr 2014 at 9:53
- Changed state: Accepted
- Added labels: ****
- Removed labels: ****
Original issue reported on code.google.com by
andres.riancho@gmail.comon 23 Apr 2014 at 6:38