[Japanese]

JVNDB-2008-000084

PHP vulnerable to cross-site scripting

Overview

PHP contains a cross-site scripting vulnerability.

PHP is an open source scripting language that is especially suited for Web development. PHP contains a cross-site scripting vulnerability as it does not properly handle errors.

Tomoki Sanaki of International Network Security, Inc. reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
CVSS Severity (What is CVSS?)

Base Metrics: 2.6 (Low) [IPA Score]
  • Access Vector: Network
  • Access Complexity: High
  • Authentication: None
  • Confidentiality Impact: None
  • Integrity Impact: Partial
  • Availability Impact: None

Affected Products


The PHP Group
  • PHP 5.2.7 and earlier
Turbolinux, Inc.
  • Turbolinux 10 Server
  • Turbolinux 10 Server x64 Edition
  • Turbolinux 11 Server
  • Turbolinux 11 Server x64 Edition
  • Turbolinux Appliance Server 2.0
  • Turbolinux Appliance Server 3.0
  • Turbolinux Appliance Server 3.0 x64 Edition
  • Turbolinux Client 2008
MIRACLE LINUX CORPORATION
  • Asianux Server 3 for x86
  • Asianux Server 3 for x86-64
Red Hat, Inc.
  • Red Hat Enterprise Linux (v.5 server)
  • RHEL Desktop Workstation (v.5 client)

Impact

An arbitrary script may be executed on the user's web browser.
Solution

[Update the Software]
Apply the latest update provided by the developer.

According to the developer, PHP 4.X is no longer supported. Users of PHP 4.X are recommended to upgrade to PHP 5.2.X.
Vendor Information

The PHP Group Turbolinux, Inc. MIRACLE LINUX CORPORATION Red Hat, Inc.
CWE (What is CWE?)

  1. Cross-site Scripting(CWE-79) [IPA Evaluation]
CVE (What is CVE?)

  1. CVE-2008-5814
References

  1. JVN : JVN#50327700
  2. National Vulnerability Database (NVD) : CVE-2008-5814
  3. JVN iPedia (Japanese) : JVNDB-2008-000084
Revision History

[2008/12/19]
  Web page published
[2009/04/24]
  Affected Products : Added Red Hat, Inc. (RHSA-2009:0338).
  Vendor Information : Added Red Hat, Inc. (RHSA-2009:0338).
[2009/06/23]
  Affected Products : Added MIRACLE LINUX CORPORATION  (php-5.1.6-23.2AXS3).
  Vendor Information : Added MIRACLE LINUX CORPORATION  (php-5.1.6-23.2AXS3).
[2010/10/19]
  Affected Products : Added Turbolinux, Inc. (TLSA-2010-35).
  Vendor Information : Added Turbolinux, Inc. (TLSA-2010-35).