php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Sec Bug #68978 XSS in header() with Internet Explorer
Submitted: 2015-02-03 10:46 UTC Modified: 2015-02-06 04:25 UTC
From: gabor at molnar dot es Assigned: stas (profile)
Status: Closed Package: HTTP related
PHP Version: Irrelevant OS:
Private report: No CVE-ID: None
View Add Comment Developer Edit
Anyone can comment on a bug. Have a simpler test case? Does it work for you on a different platform? Let us know!
Just going to say 'Me too!'? Don't clutter the database with that please !
Your email address:
MUST BE VALID
Solve the problem:
39 + 19 = ?
Subscribe to this entry?

 
 [2015-02-03 10:46 UTC] gabor at molnar dot es 
Description:
------------
The filtering in header() function is not sufficient and this can lead to header injection and content injection (XSS) when the client is Internet Explorer (in every tested version).

IE accepts %0A%20 or %0D%0A%20 as separator in HTTP while other browser treat the new line beginning with space as the continuation of the previous header. This can lead to header injection or content injection (basically, XSS) in IE:
http://molnar.es/php-header/header_injection.png
http://molnar.es/php-header/content_injection.png

I'm hosting an instance of the test script here: http://molnar.es/php-header/test.php

Test script:
---------------
<?php header('Content-Type: text/html; charset=' . $_REQUEST['charset']); ?>

This is the content.

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2015-02-04 07:18 UTC] stas@php.net 
RFC 2616 explicitly allows this as a header, so this seems to be an IE problem. However, RFC 7230 deprecates this functionality, saying:

A sender MUST NOT generate a message that includes
line folding (i.e., that has any field-value that contains a match to
the obs-fold rule) unless the message is intended for packaging
within the message/http media type.

So we may want to drop support for this.
 [2015-02-06 04:25 UTC] stas@php.net
-Status: Open +Status: Closed -Assigned To: +Assigned To: stas
 [2015-02-06 04:25 UTC] stas@php.net 
The fix for this bug has been committed.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.

 For Windows:

http://windows.php.net/snapshots/
 
Thank you for the report, and for helping us make PHP better.
 [2015-02-24 16:29 UTC] mark dot blackman at db dot com 
Hi,

I'm unable to identify the source code commit associated with this fix. Can you help?  Also, I don't see this fix in any changelogs at http://php.net/ChangeLog-5.php, although perhaps it's not made it into a formal build yet.

Cheers,
Mark
 [2015-02-24 16:31 UTC] mark dot blackman at db dot com 
Actually, perhaps this line in the Changelog is the reference.

"Removed support for multi-line headers, as they are deprecated by RFC 7230."
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Fri Apr 19 02:01:29 2024 UTC