php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #76066 Information leaked?
Submitted: 2018-03-08 06:13 UTC Modified: 2018-03-10 14:52 UTC
From: zhihua dot yao at dbappsecurity dot com dot cn Assigned:
Status: Not a bug Package: Filesystem function related
PHP Version: 7.2.3 OS:
Private report: No CVE-ID: None
 [2018-03-08 06:13 UTC] zhihua dot yao at dbappsecurity dot com dot cn
Description:
------------
Hello,PHP Security Team,
Because I am not familiar with the ssl protocol.I don't know if the leaked information is normal return information.At the same time,I also do not know whether it is a security bug or not a bug.

Test script:
---------------
first step:
 nc -lvv 8080
Listening on [0.0.0.0] (family 0, port 8080)




second step:
./php-7.2.3/sapi/cli/php -r 'file_get_contents("https://127.0.0.1:8080"); '

Then,it will leak information.file_get_contents function could be placed other functions.


Actual result:
--------------
Listening on [0.0.0.0] (family 0, port 8080)
Connection from [127.0.0.1] port 8080 [tcp/http-alt] accepted (family 2, sport 53810)

er�o�����!X�|L�
R%����r�fb�/�+�0�,�����'�#��	�(�$�
g3@k89��2�1�-�)�%�</j�2�.�*�&�=5���EDA�
                                          	127.0.0.1
                                                         
2

 	
 


Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2018-03-09 21:10 UTC] stas@php.net
-Status: Open +Status: Not a bug
 [2018-03-09 21:10 UTC] stas@php.net
Thank you for taking the time to write to us, but this is not
a bug. Please double-check the documentation available at
http://www.php.net/manual/ and the instructions on how to report
a bug at http://bugs.php.net/how-to-report.php

Don't see any information leak in the code described.
 [2018-03-09 22:48 UTC] pollita@php.net
This is literally how an SSL/TLS handshake is supposed to work.

The client sends a "Hello" packet advertising things like what ciphers it supports and (optionally, but in this case yes) an SNI (Server Name Indicator) to tell the remote end what hostname it's connecting to.  This is used for https to support virtualhost (multiple hostnames served by the same web server).

Not a leak, not a bug. Absolutely working as intended.
 [2018-03-10 14:52 UTC] cmb@php.net
-Type: Security +Type: Bug
 
PHP Copyright © 2001-2020 The PHP Group
All rights reserved.
Last updated: Sun Aug 09 08:01:25 2020 UTC