Bug 1573814 (CVE-2018-10547)

Summary: CVE-2018-10547 php: Reflected XSS vulnerability on PHAR 403 and 404 error pages
Product: [Other] Security Response Reporter: Adam Mariš <amaris>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: fedora, hhorak, jorton, kbost, kwalker, rcollet, webstack-team, yozone
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard: impact=moderate,public=20180426,reported=20180501,source=cve,cvss3=6.1/CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N,cwe=CWE-79,rhel-5/php=notaffected,rhel-5/php53=wontfix,rhel-6/php=affected,rhel-7/php=affected,rhel-8/php=notaffected,rhscl-3/rh-php70-php=affected,rhscl-3/rh-php71-php=affected,fedora-all/php=affected
Fixed In Version: php 5.6.36, php 7.0.30, php 7.1.17, php 7.2.5 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
Bug Depends On: 1579205, 1579206, 1579208, 1563859, 1573816, 1579242    
Bug Blocks: 1535252    

Description Adam Mariš 2018-05-02 10:02:13 UTC
An issue was discovered in ext/phar/phar_object.c in PHP before 5.6.36, 7.0.x before 7.0.30, 7.1.x before 7.1.17, and 7.2.x before 7.2.5. There is Reflected XSS on the PHAR 403 and 404 error pages via request data of a request for a .phar file. NOTE: this vulnerability exists because of an incomplete fix for CVE-2018-5712.

Upstream bug:

https://bugs.php.net/bug.php?id=76129

Upstream patch:

https://git.php.net/?p=php-src.git;a=commit;h=6e64aba47f4e41d97c4d010024c68320c0855f45

Comment 1 Adam Mariš 2018-05-02 10:05:15 UTC
Created php tracking bugs for this issue:

Affects: fedora-all [bug 1573816]