PHP vulnerable to cross-site scripting


PHP contains a cross-site scripting vulnerability.

PHP is an open source scripting language that is especially suited for Web development. PHP contains a cross-site scripting vulnerability as it does not properly handle errors.

Tomoki Sanaki of International Network Security, Inc. reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
CVSS Severity (What is CVSS?)

Base Metrics: 2.6 (Low) [IPA Score]
  • Access Vector: Network
  • Access Complexity: High
  • Authentication: None
  • Confidentiality Impact: None
  • Integrity Impact: Partial
  • Availability Impact: None

Affected Products

The PHP Group
  • PHP 5.2.7 and earlier
Turbolinux, Inc.
  • Turbolinux 10 Server
  • Turbolinux 10 Server x64 Edition
  • Turbolinux 11 Server
  • Turbolinux 11 Server x64 Edition
  • Turbolinux Appliance Server 2.0
  • Turbolinux Appliance Server 3.0
  • Turbolinux Appliance Server 3.0 x64 Edition
  • Turbolinux Client 2008
  • Asianux Server 3 for x86
  • Asianux Server 3 for x86-64
Red Hat, Inc.
  • Red Hat Enterprise Linux (v.5 server)
  • RHEL Desktop Workstation (v.5 client)


An arbitrary script may be executed on the user's web browser.

[Update the Software]
Apply the latest update provided by the developer.

According to the developer, PHP 4.X is no longer supported. Users of PHP 4.X are recommended to upgrade to PHP 5.2.X.
Vendor Information

The PHP Group Turbolinux, Inc. MIRACLE LINUX CORPORATION Red Hat, Inc.
CWE (What is CWE?)

  1. Cross-site Scripting(CWE-79) [IPA Evaluation]
CVE (What is CVE?)

  1. CVE-2008-5814

  1. JVN : JVN#50327700
  2. National Vulnerability Database (NVD) : CVE-2008-5814
  3. JVN iPedia (Japanese) : JVNDB-2008-000084
Revision History

  Web page published
  Affected Products : Added Red Hat, Inc. (RHSA-2009:0338).
  Vendor Information : Added Red Hat, Inc. (RHSA-2009:0338).
  Affected Products : Added MIRACLE LINUX CORPORATION  (php-5.1.6-23.2AXS3).
  Vendor Information : Added MIRACLE LINUX CORPORATION  (php-5.1.6-23.2AXS3).
  Affected Products : Added Turbolinux, Inc. (TLSA-2010-35).
  Vendor Information : Added Turbolinux, Inc. (TLSA-2010-35).