Miggo Logo

CVE-2016-3166:
Drupal CRLF injection vulnerability in the drupal_set_header function

5.9

CVSS Score
3.0

Basic Information

EPSS Score
0.64862%
Published
5/17/2022
Updated
4/23/2024
KEV Status
No
Technology
TechnologyPHP

Technical Details

CVSS Vector
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
drupal/corecomposer>= 6.0, < 6.386.38
drupal/drupalcomposer>= 6.0, < 6.386.38

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The CVE description explicitly names drupal_set_header as the vulnerable function. The vulnerability stems from improper neutralization of CRLF sequences when user-controlled data is passed to this header-setting function, particularly in older PHP environments. The function's location in includes/common.inc is standard for Drupal 6.x core functions. No other functions are mentioned in the vulnerability description as contributing to this specific CRLF injection issue.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*RL* inj**tion vuln*r**ility in t** *rup*l_s*t_*****r *un*tion in *rup*l *.x ***or* *.**, w**n us** wit* P*P ***or* *.*.*, *llows r*mot* *tt**k*rs to inj**t *r*itr*ry *TTP *****rs *n* *on*u*t *TTP r*spons* splittin* *tt**ks *y l*v*r**in* * mo*ul* t**

Reasoning

T** *V* **s*ription *xpli*itly n*m*s *rup*l_s*t_*****r *s t** vuln*r**l* *un*tion. T** vuln*r**ility st*ms *rom improp*r n*utr*liz*tion o* *RL* s*qu*n**s w**n us*r-*ontroll** **t* is p*ss** to t*is *****r-s*ttin* *un*tion, p*rti*ul*rly in ol**r P*P *