PHP vulnerable to cross-site scripting


PHP contains a cross-site scripting vulnerability.

PHP is an open source scripting language that is especially suited for Web development. PHP contains a cross-site scripting vulnerability as it does not properly handle errors.

Tomoki Sanaki of International Network Security, Inc. reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
CVSS Severity (What is CVSS?)

CVSS V2 Severity:
Base Metrics 2.6 (Low) [IPA Score]
  • Access Vector: Network
  • Access Complexity: High
  • Authentication: None
  • Confidentiality Impact: None
  • Integrity Impact: Partial
  • Availability Impact: None
Affected Products

The PHP Group
  • PHP 5.2.7 and earlier
Turbolinux, Inc.
  • Turbolinux Appliance Server 2.0
  • Turbolinux Appliance Server 3.0
  • Turbolinux Appliance Server 3.0 (x64)
  • Turbolinux Client 2008
  • Turbolinux Server 10
  • Turbolinux Server 10 (x64)
  • Turbolinux Server 11
  • Turbolinux Server 11 (x64)
  • Asianux Server 3 (x86)
  • Asianux Server 3 (x86-64)
Red Hat, Inc.
  • Red Hat Enterprise Linux 5 (server)
  • RHEL Desktop Workstation 5 (client)


An arbitrary script may be executed on the user's web browser.

[Update the Software]
Apply the latest update provided by the developer.

According to the developer, PHP 4.X is no longer supported. Users of PHP 4.X are recommended to upgrade to PHP 5.2.X.
Vendor Information

The PHP Group Turbolinux, Inc. MIRACLE LINUX CORPORATION Red Hat, Inc.
CWE (What is CWE?)

  1. Cross-site Scripting(CWE-79) [IPA Evaluation]
CVE (What is CVE?)

  1. CVE-2008-5814

  1. JVN : JVN#50327700
  2. National Vulnerability Database (NVD) : CVE-2008-5814
  3. JVN iPedia (Japanese) : JVNDB-2008-000084
Revision History

  • [2008/12/19]
      Web page published
      Affected Products : Added Red Hat, Inc. (RHSA-2009:0338).
      Vendor Information : Added Red Hat, Inc. (RHSA-2009:0338).
      Affected Products : Added MIRACLE LINUX CORPORATION  (php-5.1.6-23.2AXS3).
      Vendor Information : Added MIRACLE LINUX CORPORATION  (php-5.1.6-23.2AXS3).
      Affected Products : Added Turbolinux, Inc. (TLSA-2010-35).
      Vendor Information : Added Turbolinux, Inc. (TLSA-2010-35).