PHP :: Bug #73630 :: Built in Webserver - overwrite $_SERVER['request

Bug #73630

Built in Webserver - overwrite $_SERVER['request_uri']

Submitted:

2016-11-30 22:24 UTC

Modified:

2021-06-29 15:14 UTC

Votes:	1
Avg. Score:	3.0 ± 0.0
Reproduced:	0 of 1 (0.0%)

From:

rskansing at gmail dot com

Assigned:

cmb (profile)

Status:

Closed

Package:

Built-in web server

PHP Version:

Irrelevant

OS:

Ubuntu 16.04

Private report:

CVE-ID:

None

View Developer Edit

Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.

Password:

Status:
Package:
Bug Type:
Summary:
From:	rskansing at gmail dot com
New email:
PHP Version:		OS:

New Comment:

[2016-11-30 22:24 UTC] rskansing at gmail dot com

Description:
------------
It is possible to overwrite the contents of $_REQUEST_URI with a uri longer than 16400 bytes. It allows a attacker to manipulate the global variable in unexpected ways. It has low impact as it only related to the build in server.

Test script:
---------------
Create a file named testtest1.php with the following content
<a href="<?= $_SERVER['REQUEST_URI'] ?>">Unexpected url</a>

Start the buildin php server 
php -S localhost:8090

Go to the browser and execute the following script in the console
window.location.href = (url ='http://testtest1.php:8090/overflow.php?')+("x".repeat(16400-url.length)+"//example.com");

it changes the url to "http://testtest1:8090/overflow.php?[16365 x here][payload]

Expected result:
----------------
localhost:8090 + a long string

Actual result:
--------------
example.com

Patches

Pull Requests

Pull requests:

Fix #73630: Built-in Weberver - overwrite $_SERVER['request_uri'] (php-src/7207)

History

AllCommentsChangesGit/SVN commitsRelated reports

[2016-11-30 22:26 UTC] rskansing at gmail dot com

* testtest1.php should have been overflow.php

[2016-11-30 23:19 UTC] stas@php.net

-Type: Security +Type: Bug

[2016-11-30 23:20 UTC] stas@php.net

Built-in server is not a production facility.

[2021-06-29 15:11 UTC] cmb@php.net

-Status: Open +Status: Verified -Assigned To: +Assigned To: cmb

[2021-06-29 15:11 UTC] cmb@php.net

The following pull request has been associated:

Patch Name: Fix #73630: Built-in Weberver - overwrite $_SERVER['request_uri']
On GitHub:  https://github.com/php/php-src/pull/7207
Patch:      https://github.com/php/php-src/pull/7207.patch

[2021-06-29 15:14 UTC] cmb@php.net

-Summary: Buildin-server - Overwrite $_SERVER['request_uri'] +Summary: Built in Webserver - overwrite $_SERVER['request_uri']

[2021-06-30 14:18 UTC] git@php.net

Automatic comment on behalf of cmb69
Revision: https://github.com/php/php-src/commit/d7db5701a30f0e678f379a05360f8c91f89868ac
Log: Fix #73630: Built-in Weberver - overwrite $_SERVER['request_uri']

[2021-06-30 14:18 UTC] git@php.net

-Status: Verified +Status: Closed

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Thu Nov 21 14:01:29 2024 UTC