php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #19286 header() Control Char Injection
Submitted: 2002-09-07 16:14 UTC Modified: 2002-09-08 06:47 UTC
Votes:3
Avg. Score:3.3 ± 1.7
Reproduced:2 of 2 (100.0%)
Same Version:0 (0.0%)
Same OS:0 (0.0%)
From: mattmurphy at kc dot rr dot com Assigned:
Status: Wont fix Package: Output Control
PHP Version: 4.2.3 OS: Win32
Private report: No CVE-ID: None
View Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
If you reported this bug, you can edit this bug over here.
(description)
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: mattmurphy at kc dot rr dot com
New email:
PHP Version: OS:

 

 [2002-09-07 16:14 UTC] mattmurphy at kc dot rr dot com
I made a quite primitive use of the header() function in a redirect script:

<?php
if (isset($_GET["url"])) {
header("Location: " . $_GET["url"]);
}
?>

But, no imagine for a second:

url=http%3A%2F%2Fwww.yahoo.com%2F%0D%0A%0D%0A%3Cscript%3Ealert%28document.cookie%29%3B%3C%2FSCRIPT%3E%0D%0A%0D%0A

Which causes:

Location: http://www.yahoo.com/

<script>alert(document.cookie)</script>

Another interesting thing about this is that it (possibly) allows bypassing output buffering(?).

If nothing else, this is a documentation problem, as the header() docs say that it will modify a single header, but it also allows body content to be manipulated.

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2002-09-07 21:44 UTC] sniper@php.net
Have you ever thought of shooting yourself?
You can also pass user input to fopen()..or exect() (that's really for the brave ones to try..)

 [2002-09-07 21:46 UTC] yohgaki@php.net
Document mentions variables must be checked before passing it  to header() already.

header() should be able to send multiple line header also.


 [2002-09-08 06:47 UTC] sesser@php.net
BTW: Your little example does exactly nothing...

All Browsers I use (IE, Mozilla, Opera) ignore the body
if they find a Location header.

The only possible "danger" is Cookie injection.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Sun Oct 06 04:01:26 2024 UTC