PHP FTP_Putcmd Function HTTP Response Splitting Vulnerability

Bugtraq ID:	23818
Class:	Input Validation Error
CVE:	CVE-2007-2509
Remote:	Yes
Local:	No
Published:	May 04 2007 12:00AM
Updated:	Mar 19 2015 08:43AM
Credit:	[email protected] is credited with the discovery of this vulnerability.
Vulnerable:	Trustix Secure Linux 3.0.5 Trustix Secure Linux 3.0 Trustix Secure Linux 2.2 SuSE SUSE Linux Enterprise Server 9 SuSE SUSE Linux Enterprise Server 8 + Linux kernel 2.4.21 + Linux kernel 2.4.19 SuSE SUSE Linux Enterprise Server 10 SP1 SuSE SUSE Linux Enterprise SDK 10.SP1 S.u.S.E. UnitedLinux 1.0 S.u.S.E. SuSE Linux Standard Server 8.0 S.u.S.E. SuSE Linux School Server for i386 S.u.S.E. SUSE LINUX Retail Solution 8.0 S.u.S.E. SuSE Linux Openexchange Server 4.0 S.u.S.E. openSUSE 10.2 S.u.S.E. Open-Enterprise-Server 0 S.u.S.E. Novell Linux POS 9 S.u.S.E. Linux 10.1 x86-64 S.u.S.E. Linux 10.1 x86 S.u.S.E. Linux 10.1 ppc S.u.S.E. Linux 10.0 x86-64 S.u.S.E. Linux 10.0 x86 S.u.S.E. Linux 10.0 ppc RedHat Enterprise Linux WS 3 RedHat Enterprise Linux WS 2.1 IA64 RedHat Enterprise Linux WS 2.1 RedHat Enterprise Linux ES 3 RedHat Enterprise Linux ES 2.1 IA64 RedHat Enterprise Linux ES 2.1 RedHat Desktop 3.0 RedHat Advanced Workstation for the Itanium Processor 2.1 IA64 RedHat Advanced Workstation for the Itanium Processor 2.1 Red Hat Enterprise Linux AS 3 Red Hat Enterprise Linux AS 2.1 IA64 Red Hat Enterprise Linux AS 2.1 PHP PHP 5.2.1 + Ubuntu Ubuntu Linux 7.04 sparc + Ubuntu Ubuntu Linux 7.04 powerpc + Ubuntu Ubuntu Linux 7.04 i386 + Ubuntu Ubuntu Linux 7.04 amd64 PHP PHP 5.1.6 + Ubuntu Ubuntu Linux 6.10 sparc + Ubuntu Ubuntu Linux 6.10 powerpc + Ubuntu Ubuntu Linux 6.10 i386 + Ubuntu Ubuntu Linux 6.10 amd64 PHP PHP 5.1.5 PHP PHP 5.1.4 PHP PHP 5.1.3 -RC1 PHP PHP 5.1.3 PHP PHP 5.1.2 PHP PHP 5.1.1 PHP PHP 5.1 PHP PHP 5.0.5 PHP PHP 5.0.4 PHP PHP 5.0.3 PHP PHP 5.0.2 PHP PHP 5.0.1 PHP PHP 5.0 candidate 3 PHP PHP 5.0 candidate 2 PHP PHP 5.0 candidate 1 PHP PHP 5.0 .0 PHP PHP 4.4.6 PHP PHP 4.4.5 PHP PHP 4.4.4 PHP PHP 4.4.3 PHP PHP 4.4.2 PHP PHP 4.4.1 PHP PHP 4.4 .0 PHP PHP 4.3.11 PHP PHP 4.3.10 PHP PHP 4.3.9 PHP PHP 4.3.8 + Mandriva Linux Mandrake 10.1 x86_64 + Mandriva Linux Mandrake 10.1 + S.u.S.E. Linux Personal 9.2 + Turbolinux Turbolinux Server 10.0 + Ubuntu Ubuntu Linux 4.1 ppc + Ubuntu Ubuntu Linux 4.1 ia64 + Ubuntu Ubuntu Linux 4.1 ia32 PHP PHP 4.3.7 PHP PHP 4.3.6 PHP PHP 4.3.5 PHP PHP 4.3.4 + MandrakeSoft Corporate Server 3.0 x86_64 + MandrakeSoft Corporate Server 3.0 + Mandriva Linux Mandrake 10.0 AMD64 + Mandriva Linux Mandrake 10.0 + S.u.S.E. Linux Personal 9.1 PHP PHP 4.3.3 + S.u.S.E. Linux Personal 9.0 x86_64 + S.u.S.E. Linux Personal 9.0 + Turbolinux Home + Turbolinux Turbolinux 10 F... + Turbolinux Turbolinux Desktop 10.0 PHP PHP 4.3.2 PHP PHP 4.3.1 PHP PHP 4.3 PHP PHP 4.2.3 PHP PHP 4.2.2 PHP PHP 4.2.1 - FreeBSD FreeBSD 4.6 - FreeBSD FreeBSD 4.5 - FreeBSD FreeBSD 4.4 - FreeBSD FreeBSD 4.3 + Slackware Linux 8.1 PHP PHP 4.2 .0 PHP PHP 4.2 -dev PHP PHP 4.1.2 + Apple Mac OS X 10.1.5 + Apple Mac OS X 10.1.4 + Apple Mac OS X 10.1.3 + Apple Mac OS X 10.1.2 + Apple Mac OS X 10.1.1 + Apple Mac OS X 10.1 + Apple Mac OS X 10.1 + Apple Mac OS X 10.0.4 + Apple Mac OS X 10.0.3 + Apple Mac OS X 10.0.2 + Apple Mac OS X 10.0.1 + Apple Mac OS X 10.0 + Debian Linux 3.0 sparc + Debian Linux 3.0 s/390 + Debian Linux 3.0 ppc + Debian Linux 3.0 mipsel + Debian Linux 3.0 mips + Debian Linux 3.0 m68k + Debian Linux 3.0 ia-64 + Debian Linux 3.0 ia-32 + Debian Linux 3.0 hppa + Debian Linux 3.0 arm + Debian Linux 3.0 alpha + MandrakeSoft Multi Network Firewall 2.0 + MandrakeSoft Single Network Firewall 7.2 + Mandriva Linux Mandrake 8.2 ppc + Mandriva Linux Mandrake 8.2 PHP PHP 4.1.1 PHP PHP 4.1 .0 + S.u.S.E. Linux 8.0 i386 + S.u.S.E. Linux 8.0 PHP PHP 4.0.7 RC3 PHP PHP 4.0.7 RC2 PHP PHP 4.0.7 RC1 PHP PHP 4.0.7 PHP PHP 4.0.6 PHP PHP 4.0.5 PHP PHP 4.0.4 PHP PHP 4.0.3 pl1 + S.u.S.E. Linux 6.4 ppc + S.u.S.E. Linux 6.4 i386 + S.u.S.E. Linux 6.4 alpha + S.u.S.E. Linux 6.4 PHP PHP 4.0.3 + Debian Linux 2.2 sparc + Debian Linux 2.2 powerpc + Debian Linux 2.2 IA-32 + Debian Linux 2.2 arm + Debian Linux 2.2 alpha + Debian Linux 2.2 68k + Debian Linux 2.2 + Sun Cobalt Control Station 4100CS + Sun Cobalt Qube3 Japanese 4000WGJ + Sun Cobalt Qube3 Japanese w/ Caching and RAID 4100WGJ + Sun Cobalt Qube3 Japanese w/Caching 4010WGJ + Sun Cobalt RaQ XTR 3500R + Sun Cobalt RaQ XTR Japanese 3500R-ja PHP PHP 4.0.2 PHP PHP 4.0.1 pl2 PHP PHP 4.0.1 pl1 PHP PHP 4.0.1 + Sun Cobalt Qube3 4000WG + Sun Cobalt Qube3 w/ Caching and RAID 4100WG + Sun Cobalt Qube3 w/Caching 4010WG + Sun Cobalt RaQ4 3001R + Sun Cobalt RaQ4 Japanese RAID 3100R-ja + Sun Cobalt RaQ4 RAID 3100R PHP PHP 4.0 0 PHP PHP 5.2 Mandriva Linux Mandrake 2007.1 x86_64 Mandriva Linux Mandrake 2007.1 Mandriva Linux Mandrake 2007.0 x86_64 Mandriva Linux Mandrake 2007.0 MandrakeSoft Corporate Server 4.0 x86_64 MandrakeSoft Corporate Server 4.0 Gentoo Linux Debian Linux 3.1 sparc Debian Linux 3.1 s/390 Debian Linux 3.1 ppc Debian Linux 3.1 mipsel Debian Linux 3.1 mips Debian Linux 3.1 m68k Debian Linux 3.1 ia-64 Debian Linux 3.1 ia-32 Debian Linux 3.1 hppa Debian Linux 3.1 arm Debian Linux 3.1 amd64 Debian Linux 3.1 alpha Debian Linux 3.1 Debian Linux 4.0 sparc Debian Linux 4.0 s/390 Debian Linux 4.0 powerpc Debian Linux 4.0 mipsel Debian Linux 4.0 mips Debian Linux 4.0 m68k Debian Linux 4.0 ia-64 Debian Linux 4.0 ia-32 Debian Linux 4.0 hppa Debian Linux 4.0 arm Debian Linux 4.0 amd64 Debian Linux 4.0 alpha Debian Linux 4.0 Avaya Communication Manager 2.0 + Avaya Communication Manager Server DEFINITY Server SI/CS + Avaya Communication Manager Server S8100 + Avaya Communication Manager Server S8100 + Avaya Communication Manager Server S8300 + Avaya Communication Manager Server S8300 + Avaya Communication Manager Server S8500 + Avaya Communication Manager Server S8500 + Avaya Communication Manager Server S8700 + Avaya Communication Manager Server S8700 Avaya Communication Manager 4.0 Avaya CCS 3.1.1 Avaya Aura SIP Enablement Services 3.1.1 Avaya Aura Application Enablement Services 4.0
Not Vulnerable:	PHP PHP 5.2.2 PHP PHP 4.4.7 - Slackware Linux 10.2 - Slackware Linux 11.0 - Slackware Linux -current

PHP FTP_Putcmd Function HTTP Response Splitting Vulnerability

PHP is prone to an HTTP-response-splitting vulnerability because it fails to sanitize user-supplied input.

A remote attacker may exploit this vulnerability to influence or misrepresent how web content is served, cached, or interpreted. This could aid in various attacks that attempt to entice client users into a false sense of trust.

This issue affects these versions:

PHP 5 prior to 5.2.2
PHP 4 prior to 4.4.7.

PHP FTP_Putcmd Function HTTP Response Splitting Vulnerability

To exploit this issue, an attacker must entice an unsuspecting victim into following a malicious URI.

PHP FTP_Putcmd Function HTTP Response Splitting Vulnerability

Solution:
The vendor released updates to address this issue. Please see the references for more information.


PHP PHP 4.0 0

• PHP php-4.4.7.tar.bz2
  http://www.php.net/get/php-4.4.7.tar.bz2/from/a/mirror


• PHP php-5.2.2.tar.gz
  http://www.php.net/get/php-5.2.2.tar.gz/from/a/mirror

PHP PHP 4.0.1

• PHP php-4.4.7.tar.bz2
  http://www.php.net/get/php-4.4.7.tar.bz2/from/a/mirror


• PHP php-5.2.2.tar.gz
  http://www.php.net/get/php-5.2.2.tar.gz/from/a/mirror

PHP PHP 4.0.1 pl2

• PHP php-4.4.7.tar.bz2
  http://www.php.net/get/php-4.4.7.tar.bz2/from/a/mirror


• PHP php-5.2.2.tar.gz
  http://www.php.net/get/php-5.2.2.tar.gz/from/a/mirror

PHP PHP 4.0.2

• PHP php-4.4.7.tar.bz2
  http://www.php.net/get/php-4.4.7.tar.bz2/from/a/mirror


• PHP php-5.2.2.tar.gz
  http://www.php.net/get/php-5.2.2.tar.gz/from/a/mirror

PHP PHP 4.0.3 pl1

• PHP php-4.4.7.tar.bz2
  http://www.php.net/get/php-4.4.7.tar.bz2/from/a/mirror


• PHP php-5.2.2.tar.gz
  http://www.php.net/get/php-5.2.2.tar.gz/from/a/mirror

PHP PHP 4.0.3

• PHP php-4.4.7.tar.bz2
  http://www.php.net/get/php-4.4.7.tar.bz2/from/a/mirror


• PHP php-5.2.2.tar.gz
  http://www.php.net/get/php-5.2.2.tar.gz/from/a/mirror

PHP PHP 4.0.5

• PHP php-4.4.7.tar.bz2
  http://www.php.net/get/php-4.4.7.tar.bz2/from/a/mirror


• PHP php-5.2.2.tar.gz
  http://www.php.net/get/php-5.2.2.tar.gz/from/a/mirror

PHP PHP 4.0.7 RC1

• PHP php-4.4.7.tar.bz2
  http://www.php.net/get/php-4.4.7.tar.bz2/from/a/mirror


• PHP php-5.2.2.tar.gz
  http://www.php.net/get/php-5.2.2.tar.gz/from/a/mirror

PHP PHP 4.0.7 RC2

• PHP php-4.4.7.tar.bz2
  http://www.php.net/get/php-4.4.7.tar.bz2/from/a/mirror


• PHP php-5.2.2.tar.gz
  http://www.php.net/get/php-5.2.2.tar.gz/from/a/mirror

PHP PHP 4.0.7

• PHP php-4.4.7.tar.bz2
  http://www.php.net/get/php-4.4.7.tar.bz2/from/a/mirror


• PHP php-5.2.2.tar.gz
  http://www.php.net/get/php-5.2.2.tar.gz/from/a/mirror

PHP PHP 4.1 .0

• PHP php-4.4.7.tar.bz2
  http://www.php.net/get/php-4.4.7.tar.bz2/from/a/mirror


• PHP php-5.2.2.tar.gz
  http://www.php.net/get/php-5.2.2.tar.gz/from/a/mirror

PHP PHP 4.1.2

• PHP php-4.4.7.tar.bz2
  http://www.php.net/get/php-4.4.7.tar.bz2/from/a/mirror


• PHP php-5.2.2.tar.gz
  http://www.php.net/get/php-5.2.2.tar.gz/from/a/mirror

PHP PHP 4.2 -dev

• PHP php-4.4.7.tar.bz2
  http://www.php.net/get/php-4.4.7.tar.bz2/from/a/mirror


• PHP php-5.2.2.tar.gz
  http://www.php.net/get/php-5.2.2.tar.gz/from/a/mirror

PHP PHP 4.2.1

• PHP php-4.4.7.tar.bz2
  http://www.php.net/get/php-4.4.7.tar.bz2/from/a/mirror


• PHP php-5.2.2.tar.gz
  http://www.php.net/get/php-5.2.2.tar.gz/from/a/mirror

PHP PHP 4.3

• PHP php-4.4.7.tar.bz2
  http://www.php.net/get/php-4.4.7.tar.bz2/from/a/mirror


• PHP php-5.2.2.tar.gz
  http://www.php.net/get/php-5.2.2.tar.gz/from/a/mirror

PHP PHP 4.3.2

• PHP php-4.4.7.tar.bz2
  http://www.php.net/get/php-4.4.7.tar.bz2/from/a/mirror


• PHP php-5.2.2.tar.gz
  http://www.php.net/get/php-5.2.2.tar.gz/from/a/mirror

PHP PHP 4.3.3

• PHP php-4.4.7.tar.bz2
  http://www.php.net/get/php-4.4.7.tar.bz2/from/a/mirror


• PHP php-5.2.2.tar.gz
  http://www.php.net/get/php-5.2.2.tar.gz/from/a/mirror

PHP PHP 4.3.4

• PHP php-4.4.7.tar.bz2
  http://www.php.net/get/php-4.4.7.tar.bz2/from/a/mirror


• PHP php-5.2.2.tar.gz
  http://www.php.net/get/php-5.2.2.tar.gz/from/a/mirror

PHP PHP 4.3.5

• PHP php-4.4.7.tar.bz2
  http://www.php.net/get/php-4.4.7.tar.bz2/from/a/mirror


• PHP php-5.2.2.tar.gz
  http://www.php.net/get/php-5.2.2.tar.gz/from/a/mirror

PHP PHP 4.3.6

• PHP php-4.4.7.tar.bz2
  http://www.php.net/get/php-4.4.7.tar.bz2/from/a/mirror


• PHP php-5.2.2.tar.gz
  http://www.php.net/get/php-5.2.2.tar.gz/from/a/mirror

PHP PHP 4.3.8

• PHP php-4.4.7.tar.bz2
  http://www.php.net/get/php-4.4.7.tar.bz2/from/a/mirror


• PHP php-5.2.2.tar.gz
  http://www.php.net/get/php-5.2.2.tar.gz/from/a/mirror

PHP PHP 4.3.9

• PHP php-4.4.7.tar.bz2
  http://www.php.net/get/php-4.4.7.tar.bz2/from/a/mirror


• PHP php-5.2.2.tar.gz
  http://www.php.net/get/php-5.2.2.tar.gz/from/a/mirror

PHP PHP 4.4.1

• PHP php-4.4.7.tar.bz2
  http://www.php.net/get/php-4.4.7.tar.bz2/from/a/mirror


• PHP php-5.2.2.tar.gz
  http://www.php.net/get/php-5.2.2.tar.gz/from/a/mirror

PHP PHP 4.4.2

• PHP php-4.4.7.tar.bz2
  http://www.php.net/get/php-4.4.7.tar.bz2/from/a/mirror


• PHP php-5.2.2.tar.gz
  http://www.php.net/get/php-5.2.2.tar.gz/from/a/mirror

PHP PHP 4.4.4

• PHP php-4.4.7.tar.bz2
  http://www.php.net/get/php-4.4.7.tar.bz2/from/a/mirror


• PHP php-5.2.2.tar.gz
  http://www.php.net/get/php-5.2.2.tar.gz/from/a/mirror

PHP PHP 4.4.5

• PHP php-4.4.7.tar.bz2
  http://www.php.net/get/php-4.4.7.tar.bz2/from/a/mirror


• PHP php-5.2.2.tar.gz
  http://www.php.net/get/php-5.2.2.tar.gz/from/a/mirror

PHP PHP 4.4.6

• PHP php-4.4.7.tar.bz2
  http://www.php.net/get/php-4.4.7.tar.bz2/from/a/mirror


• PHP php-5.2.2.tar.gz
  http://www.php.net/get/php-5.2.2.tar.gz/from/a/mirror

PHP PHP 5.0 .0

• PHP php-5.2.2.tar.gz
  http://www.php.net/get/php-5.2.2.tar.gz/from/a/mirror

PHP PHP 5.0 candidate 1

• PHP php-5.2.2.tar.gz
  http://www.php.net/get/php-5.2.2.tar.gz/from/a/mirror

PHP PHP 5.0.1

• PHP php-5.2.2.tar.gz
  http://www.php.net/get/php-5.2.2.tar.gz/from/a/mirror

PHP PHP 5.0.2

• PHP php-5.2.2.tar.gz
  http://www.php.net/get/php-5.2.2.tar.gz/from/a/mirror

PHP PHP 5.0.4

• PHP php-5.2.2.tar.gz
  http://www.php.net/get/php-5.2.2.tar.gz/from/a/mirror

PHP PHP 5.1

• PHP php-5.2.2.tar.gz
  http://www.php.net/get/php-5.2.2.tar.gz/from/a/mirror

PHP PHP 5.1.1

• PHP php-5.2.2.tar.gz
  http://www.php.net/get/php-5.2.2.tar.gz/from/a/mirror

PHP PHP 5.1.3 -RC1

• PHP php-5.2.2.tar.gz
  http://www.php.net/get/php-5.2.2.tar.gz/from/a/mirror

PHP PHP 5.1.4

• PHP php-5.2.2.tar.gz
  http://www.php.net/get/php-5.2.2.tar.gz/from/a/mirror

PHP PHP 5.1.5

• PHP php-5.2.2.tar.gz
  http://www.php.net/get/php-5.2.2.tar.gz/from/a/mirror

PHP PHP 5.1.6

• PHP php-5.2.2.tar.gz
  http://www.php.net/get/php-5.2.2.tar.gz/from/a/mirror

PHP PHP 5.2.1

• PHP php-5.2.2.tar.gz
  http://www.php.net/get/php-5.2.2.tar.gz/from/a/mirror

PHP FTP_Putcmd Function HTTP Response Splitting Vulnerability

References:

• ASA-2007-231 PHP security update (Avaya)
  
• PHP 4.4.7 Release Announcement (PHP)
  
• PHP 5.2.2 Release Announcement (PHP)
  
• PHP Homepage (PHP)
  
• USN-462-1 - php5 vulnerabilities (Ubuntu)
  
• RHSA-2007:0888-2 - php security update (Red Hat)
  
• RHSA-2007:0889-5 php security update (Red Hat)
  
• SUSE Security Announcement SUSE-SA:2007:044 (SUSE)