FreshPorts - VuXML

This page displays vulnerability information about FreeBSD Ports.

The last vuln.xml file processed by FreshPorts is:

Revision:  456406
Date:      2017-12-15
Time:      16:33:12Z
Committer: brd

List all Vulnerabilities, by package

List all Vulnerabilities, by date

These are the vulnerabilities relating to the commit you have selected:

VuXML IDDescription
918f38cd-f71e-11e1-8bd8-0022156e8794php5 -- header splitting attack via carriage-return character

Rui Hirokawa reports:

As of PHP 5.1.2, header() can no longer be used to send multiple response headers in a single call to prevent the HTTP Response Splitting Attack. header() only checks the linefeed (LF, 0x0A) as line-end marker, it doesn't check the carriage-return (CR, 0x0D).

However, some browsers including Google Chrome, IE also recognize CR as the line-end.

The current specification of header() still has the vulnerability against the HTTP header splitting attack.

Discovery 2011-11-06
Entry 2012-09-05
Modified 2012-09-19
ge 5.2 lt 5.3.11

ge 5.4 lt 5.4.1

ge 0

lt 5.3.11

3761df02-0f9c-11e0-becc-0022156e8794php -- NULL byte poisoning

PHP-specific version of NULL-byte poisoning was briefly described by ShAnKaR:

Poison NULL byte vulnerability for perl CGI applications was described in [1]. ShAnKaR noted, that same vulnerability also affects different PHP applications.

PHP developers report that branch 5.3 received a fix:

Paths with NULL in them (foo\0bar.txt) are now considered as invalid (CVE-2006-7243).

Discovery 2010-12-10
Entry 2011-01-13
Modified 2012-11-25
lt 5.3.4

ge 0