php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #19286 header() Control Char Injection
Submitted: 2002-09-07 16:14 UTC Modified: 2002-09-08 06:47 UTC
Votes:3
Avg. Score:3.3 ± 1.7
Reproduced:2 of 2 (100.0%)
Same Version:0 (0.0%)
Same OS:0 (0.0%)
From: mattmurphy at kc dot rr dot com Assigned:
Status: Wont fix Package: Output Control
PHP Version: 4.2.3 OS: Win32
Private report: No CVE-ID: None
View Developer Edit
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: mattmurphy at kc dot rr dot com
New email:
PHP Version: OS:

 

 [2002-09-07 16:14 UTC] mattmurphy at kc dot rr dot com 
I made a quite primitive use of the header() function in a redirect script:

<?php
if (isset($_GET["url"])) {
header("Location: " . $_GET["url"]);
}
?>

But, no imagine for a second:

url=http%3A%2F%2Fwww.yahoo.com%2F%0D%0A%0D%0A%3Cscript%3Ealert%28document.cookie%29%3B%3C%2FSCRIPT%3E%0D%0A%0D%0A

Which causes:

Location: http://www.yahoo.com/

<script>alert(document.cookie)</script>

Another interesting thing about this is that it (possibly) allows bypassing output buffering(?).

If nothing else, this is a documentation problem, as the header() docs say that it will modify a single header, but it also allows body content to be manipulated.

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2002-09-07 21:44 UTC] sniper@php.net 
Have you ever thought of shooting yourself?
You can also pass user input to fopen()..or exect() (that's really for the brave ones to try..)
 [2002-09-07 21:46 UTC] yohgaki@php.net 
Document mentions variables must be checked before passing it  to header() already.

header() should be able to send multiple line header also.
 [2002-09-08 06:47 UTC] sesser@php.net 
BTW: Your little example does exactly nothing...

All Browsers I use (IE, Mozilla, Opera) ignore the body
if they find a Location header.

The only possible "danger" is Cookie injection.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Sat Dec 21 13:01:31 2024 UTC