The sapi_header_op function in main/SAPI.c in PHP 5.4.0RC2 through 5.4.0
does not properly determine a pointer during checks for %0D sequences (aka
carriage return characters), which allows remote attackers to bypass an
HTTP response-splitting protection mechanism via a crafted URL, related to
improper interaction between the PHP header function and certain browsers,
as demonstrated by Internet Explorer and Google Chrome. NOTE: this
vulnerability exists because of an incorrect fix for CVE-2011-1398.
tyhicks5.4.x, before 5.4.1-rc1 received the incomplete fix
mdeslaurIncomplete fix for CVE-2011-1398, see CVE-2011-1398 for
regression fix commits
Source: php5 (LP Ubuntu Debian)
Upstream:released (5.3.11,5.4.1~rc1-1)
Ubuntu 12.04 ESM (Precise Pangolin):not-affected (5.4.6-1ubuntu1)
More Information

Updated: 2020-09-10 02:14:07 UTC (commit 81a23a978c4436cd99e1d040e9e73e9146876281)