Common Vulnerabilities and Exposures assigned an identifier CVE-2008-5814 to the following vulnerability: Cross-site scripting (XSS) vulnerability in PHP, possibly 5.2.7 and earlier, when display_errors is enabled, allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. NOTE: because of the lack of details, it is unclear whether this is related to CVE-2006-0208. References: http://jvndb.jvn.jp/en/contents/2008/JVNDB-2008-000084.html http://jvn.jp/en/jp/JVN50327700/index.html
PHP packages as shipped in Red Hat Enterprise Linux 4 and later set display_errors to off in the default php.ini configuration file. Default setting for display_errors in PHP packages in Red Hat Enterprise Linux 2.1 and 3 is on.
Upstream patch: http://viewcvs.php.net/viewvc.cgi/php-src/ext/standard/head.c?r1=1.84.2.1.2.8&r2=1.84.2.1.2.9&pathrev=PHP_5_2
This issue has been addressed in following products: Red Hat Enterprise Linux 5 Via RHSA-2009:0338 https://rhn.redhat.com/errata/RHSA-2009-0338.html
This issue has been addressed in following products: Red Hat Web Application Stack for RHEL 5 Via RHSA-2009:0350 https://rhn.redhat.com/errata/RHSA-2009-0350.html
This issue did not affect PHP versions in Red Hat Enterprise Linux 2.1, 3 and 4.