agent/Core/Controller/SendRequest.cpp in Phusion Passenger prior to 4.0.60 and 5.0.x prior to 5.0.22, when used in Apache integration mode or in standalone mode without a filtering proxy, allows remote malicious users to spoof headers passed to applications by using an _ (underscore) character instead of a - (dash) character in an HTTP header, as demonstrated by an X_User header.
| Vulnerable Product | Search on Vulmon | Subscribe to Product |
|---|---|---|
phusionpassenger phusion passenger 5.0.14 |
||
phusionpassenger phusion passenger 5.0.13 |
||
phusionpassenger phusion passenger 5.0.6 |
||
phusionpassenger phusion passenger 5.0.19 |
||
phusionpassenger phusion passenger 5.0.18 |
||
phusionpassenger phusion passenger 5.0.17 |
||
phusionpassenger phusion passenger 5.0.10 |
||
phusionpassenger phusion passenger 5.0.9 |
||
phusionpassenger phusion passenger 5.0.2 |
||
phusionpassenger phusion passenger 5.0.1 |
||
phusionpassenger phusion passenger 5.0.16 |
||
phusionpassenger phusion passenger 5.0.15 |
||
phusionpassenger phusion passenger 5.0.8 |
||
phusionpassenger phusion passenger 5.0.7 |
||
phusionpassenger phusion passenger 5.0.0 |
||
phusionpassenger phusion passenger 5.0.21 |
||
phusionpassenger phusion passenger 5.0.20 |
||
phusionpassenger phusion passenger 5.0.12 |
||
phusionpassenger phusion passenger 5.0.11 |
||
phusionpassenger phusion passenger 5.0.4 |
||
phusionpassenger phusion passenger 5.0.3 |
||
phusionpassenger phusion passenger |
||
phusionpassenger phusion passenger 5.0.5 |
Vulmon