This script is Copyright (C) 2012-2013 Tenable Network Security, Inc.
The remote FreeBSD host is missing one or more security-related
Rui Hirokawa reports :
As of PHP 5.1.2, header() can no longer be used to send multiple
response headers in a single call to prevent the HTTP Response
Splitting Attack. header() only checks the linefeed (LF, 0x0A) as
line-end marker, it doesn't check the carriage-return (CR, 0x0D).
However, some browsers including Google Chrome, IE also recognize CR
as the line-end.
The current specification of header() still has the vulnerability
against the HTTP header splitting attack.
See also :
Update the affected packages.
Risk factor :
Medium / CVSS Base Score : 4.3