php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #64457 HTTP_HOST, SERVER_NAME, SERVER_PORT spoofing
Submitted: 2013-03-19 19:03 UTC Modified: 2016-06-20 15:27 UTC
Votes:5
Avg. Score:3.0 ± 1.3
Reproduced:2 of 2 (100.0%)
Same Version:1 (50.0%)
Same OS:1 (50.0%)
From: dm@php.net Assigned: cmb (profile)
Status: Closed Package: Documentation problem
PHP Version: Irrelevant OS: All
Private report: No CVE-ID: None
 [2013-03-19 19:03 UTC] dm@php.net
Description:
------------
`HTTP_HOST` is the value from `Host` header, which can, naturally, be spoofed.
On the other hand, `SERVER_NAME` and `SERVER_PORT` should reflect real values.
I've tested some configurations and on majority you can at least change/spoof `SERVER_PORT`.
This can lead to security issues since these environment variables are often trusted.

Test script:
---------------
<?php

$ch = curl_init('http://smchiptuning.com/http_host.php');
curl_setopt($ch, CURLOPT_HTTPHEADER, array('Host: 127.0.0.1:1337'));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 1);
echo curl_exec($ch);
curl_close($ch);

/**
http_host.php

<?php

var_dump($_SERVER['SERVER_NAME'], $_SERVER['SERVER_PORT']);

*/

Expected result:
----------------
string(16) "smchiptuning.com" string(2) "80"

Actual result:
--------------
string(9) "127.0.0.1" string(4) "1337"

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2013-03-19 19:16 UTC] rasmus@php.net
But how is this a PHP issue? PHP doesn't set the $_SERVER['HTTP_*"] variables at 
all. They are inherited directly from the web server and are the same variables 
that the web server would set for CGI scripts that might get executed. So while 
we could try to do some analysis and filtering at the PHP level, anything else 
the web server invokes would still be getting the spoofed port. The fix should be 
at the web server level.
 [2013-03-19 19:16 UTC] rasmus@php.net
-Status: Open +Status: Analyzed
 [2013-03-19 19:38 UTC] dm@php.net
Indeed, it's not a PHP issue per se, and I'm glad, thank you.

I'm aware that $_SERVER['HTTP_*'] are passed on, but what about $_SERVER['SERVER_*'] (or you meant everything web server related)?
Why would Apache not know what is the hostname and which port is it serving through?

Nginx and some variations of Apache (haven't tried sending HTTP 1.0 request) settings don't have this "problem".
RFC 2616 states that 1.1 requests specifying a hostname not in use by the server should receive a 400 Bad Request response, which is sometimes (I don't know when exactly) is not the case.

Thanks.
 [2013-03-19 20:58 UTC] rasmus@php.net
I have no idea why it is filling in the wrong SERVER_PORT, but it is. This 
doesn't come from PHP and it isn't PHP's job to second-guess what the web server 
is telling us here. Try to reproduce it with a straight CGI script without any 
PHP involvement.
 [2013-03-22 16:56 UTC] dm@php.net
With the help of thumbs from #httpd, I was directed to:
http://httpd.apache.org/docs/current/mod/core.html#usecanonicalphysicalport

It was pointed out:
http://httpd.apache.org/docs/2.4/mod/core.html#comment_1000

So, PHP is kept in the dark if these directives are Off.

On our side, docs should be updated to advise that values are not be trusted if aforementioned directives are Off.
 [2013-03-22 16:59 UTC] rasmus@php.net
-Package: Apache2 related +Package: Documentation problem
 [2016-06-20 15:27 UTC] cmb@php.net
Automatic comment from SVN on behalf of cmb
Revision: http://svn.php.net/viewvc/?view=revision&amp;revision=339426
Log: Fix #64457: HTTP_HOST, SERVER_NAME, SERVER_PORT spoofing
 [2016-06-20 15:27 UTC] cmb@php.net
-Status: Analyzed +Status: Closed -Assigned To: +Assigned To: cmb
 [2016-06-20 15:27 UTC] cmb@php.net
This bug has been fixed in the documentation's XML sources. Since the
online and downloadable versions of the documentation need some time
to get updated, we would like to ask you to be a bit patient.

Thank you for the report, and for helping us make our documentation better.
 [2020-02-07 06:07 UTC] phpdocbot@php.net
Automatic comment on behalf of cmb
Revision: http://git.php.net/?p=doc/en.git;a=commit;h=2b5b055e52b81d01a19d7c868f4cc0662633b6ed
Log: Fix #64457: HTTP_HOST, SERVER_NAME, SERVER_PORT spoofing
 
PHP Copyright © 2001-2021 The PHP Group
All rights reserved.
Last updated: Thu Oct 21 12:03:33 2021 UTC