vulnerable to http header injection

Comments (4)

1. 

   Christopher Kramer

   You are right, the current development version is still "vulnerable".
   
   I consider the risk very low. PHP as of 5.1.2 does not accept multiple header-lines
   in one header() call [0]. We require PHP >= 5.1.0 [1], so only 5.1.0 and 5.1.1 users
   are affected. And only 0,00004806% of all PHP installations still use one of these
   versions according to [2]. And for a good reason: There are no security updates for
   PHP 5.1 since 2006, so servers running these PHP versions most likely have known security
   issues in PHP itself.
   
   And the injection can only be done by someone who is authorized (has entered the correct
   password).
   
   Of course we will fix this anyway. But it does not seem to be very urgent.
   
   Any user of phpLiteAdmin with PHP < 5.1.2 that gives access (the password) to people
   he does not trust is recommended to update PHP.
   
   [0] http://php.net/manual/en/function.header.php#refsect1-function.header-changelog
   [1] http://code.google.com/p/phpliteadmin/
   [2] http://w3techs.com/technologies/details/pl-php/5.1/all
   

   Reported by crazy4chrissi on 2014-04-23 21:53:08 - Status changed: Accepted

   • 2014-04-23T21:53:08+00:00
2. 

   andres.riancho reporter

   Agreed on all your comments.
   

   Reported by andres.riancho on 2014-04-23 21:58:09

   • 2014-04-23T21:58:09+00:00
3. 

   Christopher Kramer

   Reported by crazy4chrissi on 2014-05-22 20:08:21 - Labels added: Target-1.9.6

   • 2014-05-22T20:08:21+00:00
4. 

   Christopher Kramer

   Fixed this in git with rev 6922a7df4e2b629d8ae54bb482b0677b02104df3
   

   Reported by crazy4chrissi on 2014-12-26 23:26:48 - Status changed: Fixed

   • 2014-12-26T23:26:48+00:00
5. Log in to comment