Update: PHP CRLF Injection vulnerability

Security Focus warns PHP functions fopen(), file() and others have a vulnerability that makes it possible to add extra HTTP headers to HTTP queries. Attackers may use it to escape certain restrictions, like what host to access on a web server. In some cases, this vulnerability even opens up for arbitrary net connections, turning some PHP scripts into proxies and open mail relays.

The vulnerability affects 4.1.2, 4.2.2, 4.2.3, and the latest CVS.

A workaround as well as more information on the vulnerability is available on the Security Focus web site.

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

More about CVSSecurityFocus

Show Comments