sapioit / phpliteadmin

Automatically exported from code.google.com/p/phpliteadmin
1 stars 0 forks source link

vulnerable to http header injection #249

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago
The "filename" parameter of the "phpliteadmin.php" script, when invoked as 
"/manager/phpliteadmin.php?view=export" is vulnerable to http header injection 
[0]

Found this during an automated scan, verified and seems to work. Tested against 
1.9.3.3

This is a low risk vulnerability

[0] http://en.wikipedia.org/wiki/HTTP_header_injection

Original issue reported on code.google.com by andres.riancho@gmail.com on 23 Apr 2014 at 6:38

GoogleCodeExporter commented 9 years ago
You are right, the current development version is still "vulnerable".

I consider the risk very low. PHP as of 5.1.2 does not accept multiple 
header-lines in one header() call [0]. We require PHP >= 5.1.0 [1], so only 
5.1.0 and 5.1.1 users are affected. And only 0,00004806% of all PHP 
installations still use one of these versions according to [2]. And for a good 
reason: There are no security updates for PHP 5.1 since 2006, so servers 
running these PHP versions most likely have known security issues in PHP itself.

And the injection can only be done by someone who is authorized (has entered 
the correct password).

Of course we will fix this anyway. But it does not seem to be very urgent.

Any user of phpLiteAdmin with PHP < 5.1.2 that gives access (the password) to 
people he does not trust is recommended to update PHP.

[0] 
http://php.net/manual/en/function.header.php#refsect1-function.header-changelog
[1] http://code.google.com/p/phpliteadmin/
[2] http://w3techs.com/technologies/details/pl-php/5.1/all

Original comment by crazy4ch...@gmail.com on 23 Apr 2014 at 9:53

GoogleCodeExporter commented 9 years ago
Agreed on all your comments.

Original comment by andres.riancho@gmail.com on 23 Apr 2014 at 9:58

GoogleCodeExporter commented 9 years ago

Original comment by crazy4ch...@gmail.com on 22 May 2014 at 8:08

GoogleCodeExporter commented 9 years ago
Fixed this in git with rev 6922a7df4e2b629d8ae54bb482b0677b02104df3

Original comment by crazy4ch...@gmail.com on 26 Dec 2014 at 11:26