|
|
php.net | support | documentation | report a bug | advanced search | search howto | statistics | random bug | login |
PatchesPull RequestsHistoryAllCommentsChangesGit/SVN commits
[2021-12-01 02:46 UTC] ive_jihwan at zerocution dot com
-Package: *General Issues
+Package: PHP options/info functions
[2021-12-01 02:46 UTC] ive_jihwan at zerocution dot com
[2021-12-01 10:22 UTC] cmb@php.net
-Status: Open
+Status: Verified
[2021-12-01 10:22 UTC] cmb@php.net
|
|||||||||||||||||||||||||||||||||||||
Copyright © 2001-2025 The PHP GroupAll rights reserved. |
Last updated: Wed Nov 05 13:00:01 2025 UTC |
Description: ------------ When we set "From" field by setting ini setting "from", which is used for "ftp" and "http" file wrapper, it can inject an arbitrary string in the raw socket message. Since the injected string can contain CR-LF sequence(\r\n), this can be used to interrupt the flow of FTP stream or injecting/smuggling an outgoing HTTP request. I attached an accepted message using netcat in listening mode (nc -l) This is caused by missing checking CNTRLs in both of http_fopen_wrapper.c and ftp_fopen_wrapper.c -- ftp_fopen_wrapper.c:266 -- php_stream_printf(stream, "PASS %s\r\n", FG(from_address)); must be checked using PHP_FTP_CNTRL_CHK before calling printf and -- http_fopen_wrapper.c:550 -- smart_str_appends(&req_buf, FG(from_address)); also must be checked with some logic before appending Test script: --------------- <?php ini_set("from", "Hi\r\nInjected: I HAVE IT"); file_get_contents("http://localhost:3500"); Expected result: ---------------- Should be failed Actual result: -------------- Listening on 0.0.0.0 3500 Connection received on 127.0.0.1 38882 GET / HTTP/1.1 From: Hi Injected: I HAVE IT Host: localhost:3500 Connection: close