Bugzilla – Bug 1108753
VUL-0: CVE-2018-17082: php5,php7,php53: Cross-site scripting (XSS) flaw in Apache2 component via body of 'Transfer-Encoding: chunked' request
Last modified: 2023-10-26 10:35:19 UTC
rh#1629552 The Apache2 component in PHP before 5.6.38, 7.0.x before 7.0.32, 7.1.x before 7.1.22, and 7.2.x before 7.2.10 allows XSS via the body of a "Transfer-Encoding: chunked" request, because the bucket brigade is mishandled in the php_handler function in sapi/apache2handler/sapi_apache2.c. References: https://bugzilla.redhat.com/show_bug.cgi?id=1629552 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-17082 http://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-17082.html https://bugs.php.net/bug.php?id=76582 https://github.com/php/php-src/commit/23b057742e3cf199612fa8050ae86cae675e214e
Seems like all php packages in all codestreams are affected by this: SUSE:SLE-10-SP3:Update SUSE:SLE-11:Update SUSE:SLE-11-SP3:Update SUSE:SLE-12:Update SUSE:SLE-15:Update
Running apache2/mod_php7 on 15,12 and 11sp3, nc-ing on Tumbleweed. # cat /srv/www/htdocs/lol.php <?php function respond_with($header, $body) { header($header); die(json_encode($body)); } $body = "{'hack':'1'}"; $header = "200 Status Ok"; respond_with($header,$body); ?> # $ (printf "POST /lol.php HTTP/1.1\r\nHost: localhost\r\nContent-Type: application/json\r\nTransfer-Encoding: chunked\r\nContent-Length: 25\r\n\r\n<script>alert(2)</script>\r\n\r\n"; sleep 1) | nc 127.0.0.1 80 | tail BEFORE 15,12/php7 and 12/php5 <h2>Error 400</h2> <address> <a href="/">localhost</a><br /> <span>Apache/2.4.10 (Linux/SUSE)</span> </address> </body> </html> "{'hack':'1'}"<script>alert(2)</script> $ 11sp3/php53 <h2>Error 400</h2> <address> <a href="/">localhost</a><br /> <span>Wed Sep 19 10:47:01 2018<br /> Apache/2.2.34 (Linux/SUSE)</span> </address> </body> </html> $ So 11sp3/php53 does not reproduce the issue for me.
AFTER 12,15/php7,12/php5,11sp3/php53 <h2>Error 400</h2> <address> <a href="/">localhost</a><br /> <span>Apache</span> </address> </body> </html> "{'hack':'1'}" $
Packages submitted for: 15,12/php7, 12/php5, 11sp3/php53, 11/php5 and 10sp3/php5. I believe all fixed.
An update workflow for this issue was started. This issue was rated as moderate. Please submit fixed packages until 2018-10-08. When done, reassign the bug to security-team@suse.de. https://swamp.suse.de/webswamp/wf/64146
SUSE-SU-2018:2887-1: An update that fixes one vulnerability is now available. Category: security (moderate) Bug References: 1108753 CVE References: CVE-2018-17082 Sources used: SUSE Linux Enterprise Software Development Kit 12-SP3 (src): php7-7.0.7-50.52.1 SUSE Linux Enterprise Module for Web Scripting 12 (src): php7-7.0.7-50.52.1
openSUSE-SU-2018:2929-1: An update that fixes one vulnerability is now available. Category: security (moderate) Bug References: 1108753 CVE References: CVE-2018-17082 Sources used: openSUSE Leap 42.3 (src): php7-7.0.7-49.1
SUSE-SU-2018:3016-1: An update that solves one vulnerability and has one errata is now available. Category: security (moderate) Bug References: 1108554,1108753 CVE References: CVE-2018-17082 Sources used: SUSE Linux Enterprise Module for Web Scripting 15 (src): php7-7.2.5-4.12.2
SUSE-SU-2018:3017-1: An update that fixes one vulnerability is now available. Category: security (moderate) Bug References: 1108753 CVE References: CVE-2018-17082 Sources used: SUSE Linux Enterprise Software Development Kit 12-SP3 (src): php5-5.5.14-109.41.1 SUSE Linux Enterprise Module for Web Scripting 12 (src): php5-5.5.14-109.41.1
SUSE-SU-2018:3018-1: An update that fixes one vulnerability is now available. Category: security (moderate) Bug References: 1108753 CVE References: CVE-2018-17082 Sources used: SUSE Linux Enterprise Software Development Kit 11-SP4 (src): php53-5.3.17-112.41.1 SUSE Linux Enterprise Server 11-SP4 (src): php53-5.3.17-112.41.1 SUSE Linux Enterprise Debuginfo 11-SP4 (src): php53-5.3.17-112.41.1
done
openSUSE-SU-2018:3056-1: An update that fixes one vulnerability is now available. Category: security (moderate) Bug References: 1108753 CVE References: CVE-2018-17082 Sources used: openSUSE Leap 42.3 (src): php5-5.5.14-106.2
openSUSE-SU-2018:3062-1: An update that solves one vulnerability and has one errata is now available. Category: security (moderate) Bug References: 1108554,1108753 CVE References: CVE-2018-17082 Sources used: openSUSE Leap 15.0 (src): php7-7.2.5-lp150.2.15.1
This is an autogenerated message for OBS integration: This bug (1108753) was mentioned in https://build.opensuse.org/request/show/802846 Factory / php7
This is an autogenerated message for OBS integration: This bug (1108753) was mentioned in https://build.opensuse.org/request/show/802978 Factory / php7
This is an autogenerated message for OBS integration: This bug (1108753) was mentioned in https://build.opensuse.org/request/show/804946 Factory / php7
This is an autogenerated message for OBS integration: This bug (1108753) was mentioned in https://build.opensuse.org/request/show/1120490 Backports:SLE-15-SP5 / php81