CVE-2006-0208: XSS
First published: Fri Jan 13 2006(Updated: )
Multiple cross-site scripting (XSS) vulnerabilities in PHP 4.4.1 and 5.1.1, when display_errors and html_errors are on, allow remote attackers to inject arbitrary web script or HTML via inputs to PHP applications that are not filtered when they are included in the resulting error message.
Credit: cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| PHP | =4.3.9 | |
| PHP | =4.0-beta1 | |
| PHP | =4.0-beta4 | |
| PHP | =4.2.0 | |
| PHP | =5.1.1 | |
| PHP | =5.0.0-beta1 | |
| PHP | =4.1.0 | |
| PHP | =4.3.4 | |
| PHP | =4.0.4 | |
| PHP | =4.3.0 | |
| PHP | =4.0.5 | |
| PHP | =5.0.5 | |
| PHP | =4.3.6 | |
| PHP | =5.0.1 | |
| PHP | =4.3.7 | |
| PHP | =5.0.4 | |
| PHP | =4.2.2 | |
| PHP | =4.4.2 | |
| PHP | =4.0-rc1 | |
| PHP | =4.3.2 | |
| PHP | =4.3.11 | |
| PHP | =4.0.0 | |
| PHP | =4.0.2 | |
| PHP | =4.3.3 | |
| PHP | =4.1.1 | |
| PHP | =5.0.0-rc2 | |
| PHP | =5.0.3 | |
| PHP | =4.2.3 | |
| PHP | =5.1.0 | |
| PHP | =5.0.0-rc3 | |
| PHP | =4.0-beta2 | |
| PHP | =4.0.6 | |
| PHP | =4.1.2 | |
| PHP | =5.0.0-beta3 | |
| PHP | =4.0-rc2 | |
| PHP | =4.3.1 | |
| PHP | =4.0-beta_4_patch1 | |
| PHP | =4.3.10 | |
| PHP | =4.2.1 | |
| PHP | =5.0.0-rc1 | |
| PHP | =4.0.1 | |
| PHP | =5.0.2 | |
| PHP | =4.4.1 | |
| PHP | =4.0-beta3 | |
| PHP | =4.0.3 | |
| PHP | =5.0.0 | |
| PHP | =4.3.8 | |
| PHP | =4.3.5 | |
| PHP | =5.0.0-beta2 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://lists.suse.de/archive/suse-security-announce/2006-Feb/0008.html
- http://rhn.redhat.com/errata/RHSA-2006-0276.html
- http://rhn.redhat.com/errata/RHSA-2006-0549.html
- http://secunia.com/advisories/18431
- http://secunia.com/advisories/18697
- http://secunia.com/advisories/19012
- http://secunia.com/advisories/19179
- http://secunia.com/advisories/19355
- http://secunia.com/advisories/19832
- http://secunia.com/advisories/20210
- http://secunia.com/advisories/20222
- http://secunia.com/advisories/20951
- http://secunia.com/advisories/21252
- http://secunia.com/advisories/21564
- http://support.avaya.com/elmodocs2/security/ASA-2006-129.htm
- http://support.avaya.com/elmodocs2/security/ASA-2006-160.htm
- http://www.gentoo.org/security/en/glsa/glsa-200603-22.xml
- http://www.mandriva.com/security/advisories?name=MDKSA-2006:028
- http://www.php.net/ChangeLog-4.php#4.4.2
- http://www.php.net/release_5_1_2.php
- http://www.redhat.com/support/errata/RHSA-2006-0501.html
- http://www.securityfocus.com/bid/16803
- http://www.vupen.com/english/advisories/2006/0177
- http://www.vupen.com/english/advisories/2006/0369
- http://www.vupen.com/english/advisories/2006/2685
- https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=178028
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10064
- https://usn.ubuntu.com/261-1/
Frequently Asked Questions
What is the severity of CVE-2006-0208?
CVE-2006-0208 is classified as a medium severity vulnerability due to its potential for exploitation through cross-site scripting attacks.
How do I fix CVE-2006-0208?
To fix CVE-2006-0208, disable display_errors and html_errors in PHP configuration or upgrade to a patched version of PHP.
Which versions of PHP are affected by CVE-2006-0208?
CVE-2006-0208 affects PHP versions 4.4.1, 5.1.1, and earlier versions including 4.3.x and 5.0.x.
What are the potential impacts of CVE-2006-0208?
Exploitation of CVE-2006-0208 can allow attackers to inject arbitrary web scripts or HTML, leading to data theft or session hijacking.
How can I verify if my PHP installation is vulnerable to CVE-2006-0208?
You can verify if your PHP installation is vulnerable by checking if display_errors and html_errors are enabled and determining the PHP version in use.
- agent/references
- agent/type
- agent/softwarecombine
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/severity
- agent/remedy
- agent/author
- agent/weakness
- agent/description
- agent/first-publish-date
- agent/event
- agent/source
- agent/tags
- collector/nvd-historical
- agent/software-canonical-lookup-request
- collector/nvd-index
- vendor/php
- canonical/php
- version/php/4.3.9
- version/php/4.0-beta1
- version/php/4.0-beta4
- version/php/4.2.0
- version/php/5.1.1
- version/php/5.0.0-beta1
- version/php/4.1.0
- version/php/4.3.4
- version/php/4.0.4
- version/php/4.3.0
- version/php/4.0.5
- version/php/5.0.5
- version/php/4.3.6
- version/php/5.0.1
- version/php/4.3.7
- version/php/5.0.4
- version/php/4.2.2
- version/php/4.4.2
- version/php/4.0-rc1
- version/php/4.3.2
- version/php/4.3.11
- version/php/4.0.0
- version/php/4.0.2
- version/php/4.3.3
- version/php/4.1.1
- version/php/5.0.0-rc2
- version/php/5.0.3
- version/php/4.2.3
- version/php/5.1.0
- version/php/5.0.0-rc3
- version/php/4.0-beta2
- version/php/4.0.6
- version/php/4.1.2
- version/php/5.0.0-beta3
- version/php/4.0-rc2
- version/php/4.3.1
- version/php/4.0-beta_4_patch1
- version/php/4.3.10
- version/php/4.2.1
- version/php/5.0.0-rc1
- version/php/4.0.1
- version/php/5.0.2
- version/php/4.4.1
- version/php/4.0-beta3
- version/php/4.0.3
- version/php/5.0.0
- version/php/4.3.8
- version/php/4.3.5
- version/php/5.0.0-beta2