Bug 1108753 (CVE-2018-17082) - VUL-0: CVE-2018-17082: php5,php7,php53: Cross-site scripting (XSS) flaw in Apache2 component via body of 'Transfer-Encoding: chunked' request
Summary: VUL-0: CVE-2018-17082: php5,php7,php53: Cross-site scripting (XSS) flaw in Ap...
Status: RESOLVED FIXED
Alias: CVE-2018-17082
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P3 - Medium : Normal
Target Milestone: ---
Deadline: 2018-10-08
Assignee: Security Team bot
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/214893/
Whiteboard: CVSSv3:RedHat:CVE-2018-17082:6.1:(A...
Keywords:
Depends on:
Blocks:
 
Reported: 2018-09-18 07:27 UTC by Karol Babioch
Modified: 2023-10-26 10:35 UTC (History)
2 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Karol Babioch 2018-09-18 07:27:04 UTC
rh#1629552

The Apache2 component in PHP before 5.6.38, 7.0.x before 7.0.32, 7.1.x before
7.1.22, and 7.2.x before 7.2.10 allows XSS via the body of a "Transfer-Encoding:
chunked" request, because the bucket brigade is mishandled in the php_handler
function in sapi/apache2handler/sapi_apache2.c.

References:
https://bugzilla.redhat.com/show_bug.cgi?id=1629552
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-17082
http://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-17082.html
https://bugs.php.net/bug.php?id=76582
https://github.com/php/php-src/commit/23b057742e3cf199612fa8050ae86cae675e214e
Comment 1 Karol Babioch 2018-09-18 08:02:47 UTC
Seems like all php packages in all codestreams are affected by this:

SUSE:SLE-10-SP3:Update
SUSE:SLE-11:Update
SUSE:SLE-11-SP3:Update
SUSE:SLE-12:Update
SUSE:SLE-15:Update
Comment 2 Petr Gajdos 2018-09-19 10:57:07 UTC
Running apache2/mod_php7 on 15,12 and 11sp3, nc-ing on Tumbleweed.

# cat /srv/www/htdocs/lol.php
<?php
function respond_with($header, $body) {
header($header);

die(json_encode($body));
}
$body = "{'hack':'1'}";
$header = "200 Status Ok";
respond_with($header,$body);
?>
#

$ (printf "POST /lol.php HTTP/1.1\r\nHost: localhost\r\nContent-Type: application/json\r\nTransfer-Encoding: chunked\r\nContent-Length: 25\r\n\r\n<script>alert(2)</script>\r\n\r\n"; sleep 1) | nc 127.0.0.1 80 | tail

BEFORE

15,12/php7 and 12/php5

<h2>Error 400</h2>
<address>
  <a href="/">localhost</a><br />
  <span>Apache/2.4.10 (Linux/SUSE)</span>
</address>
</body>
</html>

"{'hack':'1'}"<script>alert(2)</script>
$

11sp3/php53

<h2>Error 400</h2>
<address>
  <a href="/">localhost</a><br />
  
  <span>Wed Sep 19 10:47:01 2018<br />
  Apache/2.2.34 (Linux/SUSE)</span>
</address>
</body>
</html>

$
So 11sp3/php53 does not reproduce the issue for me.
Comment 3 Petr Gajdos 2018-09-19 13:52:51 UTC
AFTER

12,15/php7,12/php5,11sp3/php53

<h2>Error 400</h2>
<address>
  <a href="/">localhost</a><br />
  <span>Apache</span>
</address>
</body>
</html>

"{'hack':'1'}"
$
Comment 4 Petr Gajdos 2018-09-19 13:54:30 UTC
Packages submitted for: 15,12/php7, 12/php5, 11sp3/php53, 11/php5 and 10sp3/php5.

I believe all fixed.
Comment 6 Swamp Workflow Management 2018-09-24 07:40:47 UTC
An update workflow for this issue was started.
This issue was rated as moderate.
Please submit fixed packages until 2018-10-08.
When done, reassign the bug to security-team@suse.de.
https://swamp.suse.de/webswamp/wf/64146
Comment 7 Swamp Workflow Management 2018-09-26 22:08:26 UTC
SUSE-SU-2018:2887-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 1108753
CVE References: CVE-2018-17082
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP3 (src):    php7-7.0.7-50.52.1
SUSE Linux Enterprise Module for Web Scripting 12 (src):    php7-7.0.7-50.52.1
Comment 8 Swamp Workflow Management 2018-09-28 10:12:48 UTC
openSUSE-SU-2018:2929-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 1108753
CVE References: CVE-2018-17082
Sources used:
openSUSE Leap 42.3 (src):    php7-7.0.7-49.1
Comment 9 Swamp Workflow Management 2018-10-05 13:10:47 UTC
SUSE-SU-2018:3016-1: An update that solves one vulnerability and has one errata is now available.

Category: security (moderate)
Bug References: 1108554,1108753
CVE References: CVE-2018-17082
Sources used:
SUSE Linux Enterprise Module for Web Scripting 15 (src):    php7-7.2.5-4.12.2
Comment 10 Swamp Workflow Management 2018-10-05 13:11:21 UTC
SUSE-SU-2018:3017-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 1108753
CVE References: CVE-2018-17082
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP3 (src):    php5-5.5.14-109.41.1
SUSE Linux Enterprise Module for Web Scripting 12 (src):    php5-5.5.14-109.41.1
Comment 11 Swamp Workflow Management 2018-10-05 13:11:54 UTC
SUSE-SU-2018:3018-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 1108753
CVE References: CVE-2018-17082
Sources used:
SUSE Linux Enterprise Software Development Kit 11-SP4 (src):    php53-5.3.17-112.41.1
SUSE Linux Enterprise Server 11-SP4 (src):    php53-5.3.17-112.41.1
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    php53-5.3.17-112.41.1
Comment 12 Andreas Stieger 2018-10-06 11:02:00 UTC
done
Comment 13 Swamp Workflow Management 2018-10-06 16:11:47 UTC
openSUSE-SU-2018:3056-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 1108753
CVE References: CVE-2018-17082
Sources used:
openSUSE Leap 42.3 (src):    php5-5.5.14-106.2
Comment 14 Swamp Workflow Management 2018-10-06 16:16:31 UTC
openSUSE-SU-2018:3062-1: An update that solves one vulnerability and has one errata is now available.

Category: security (moderate)
Bug References: 1108554,1108753
CVE References: CVE-2018-17082
Sources used:
openSUSE Leap 15.0 (src):    php7-7.2.5-lp150.2.15.1
Comment 24 OBSbugzilla Bot 2020-05-12 08:00:27 UTC
This is an autogenerated message for OBS integration:
This bug (1108753) was mentioned in
https://build.opensuse.org/request/show/802846 Factory / php7
Comment 25 OBSbugzilla Bot 2020-05-12 14:00:13 UTC
This is an autogenerated message for OBS integration:
This bug (1108753) was mentioned in
https://build.opensuse.org/request/show/802978 Factory / php7
Comment 26 OBSbugzilla Bot 2020-05-13 08:20:10 UTC
This is an autogenerated message for OBS integration:
This bug (1108753) was mentioned in
https://build.opensuse.org/request/show/804946 Factory / php7
Comment 33 OBSbugzilla Bot 2023-10-26 10:35:19 UTC
This is an autogenerated message for OBS integration:
This bug (1108753) was mentioned in
https://build.opensuse.org/request/show/1120490 Backports:SLE-15-SP5 / php81