logo

Database

Lack of data validation In drupal/core

Description

Drupal CRLF injection vulnerability in the drupal_set_header function CRLF injection vulnerability in the drupal_set_header function in Drupal 6.x before 6.38, when used with PHP before 5.1.2, allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks by leveraging a module that allows user-submitted data to appear in HTTP headers.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem
Package
Affected version
Patched versions

Aliases

1. CVE-2016-31662. NVD-2016-31663. OSV-2016-31664. GCVE-2016-3166

References

1. https://github.com/FriendsOfPHP/security-advisories/blob/master/drupal/core/CVE-2016-3166.yaml2. https://github.com/FriendsOfPHP/security-advisories/blob/master/drupal/drupal/CVE-2016-3166.yaml3. https://www.drupal.org/SA-CORE-2016-0014. http://www.debian.org/security/2016/dsa-34985. http://www.openwall.com/lists/oss-security/2016/02/24/196. http://www.openwall.com/lists/oss-security/2016/03/15/10

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.