|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #81680 CR-LF injection via "From" field from ini setting
Submitted: 2021-12-01 02:44 UTC Modified: 2021-12-01 10:22 UTC
From: ive_jihwan at zerocution dot com Assigned:
Status: Verified Package: PHP options/info functions
PHP Version: 8.1.0 OS: *
Private report: No CVE-ID: None
Have you experienced this issue?
Rate the importance of this bug to you:

 [2021-12-01 02:44 UTC] ive_jihwan at zerocution dot com
When we set "From" field by setting ini setting "from", which is used for "ftp" and "http" file wrapper, it can inject an arbitrary string in the raw socket message.

Since the injected string can contain CR-LF sequence(\r\n), this can be used to interrupt the flow of FTP stream or injecting/smuggling an outgoing HTTP request.

I attached an accepted message using netcat in listening mode (nc -l)

This is caused by missing checking CNTRLs in both of http_fopen_wrapper.c and ftp_fopen_wrapper.c

-- ftp_fopen_wrapper.c:266 --
php_stream_printf(stream, "PASS %s\r\n", FG(from_address));

must be checked using PHP_FTP_CNTRL_CHK before calling printf


-- http_fopen_wrapper.c:550 --
smart_str_appends(&req_buf, FG(from_address));

also must be checked with some logic before appending

Test script:

ini_set("from", "Hi\r\nInjected: I HAVE IT");

Expected result:
Should be failed

Actual result:
Listening on 3500
Connection received on 38882
GET / HTTP/1.1
From: Hi
Injected: I HAVE IT
Host: localhost:3500
Connection: close


Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2021-12-01 02:46 UTC] ive_jihwan at zerocution dot com
-Package: *General Issues +Package: PHP options/info functions
 [2021-12-01 02:46 UTC] ive_jihwan at zerocution dot com
Change a bug package (referred #81518)
 [2021-12-01 10:22 UTC]
-Status: Open +Status: Verified
 [2021-12-01 10:22 UTC]
Yeah, by the reasoning from bug #81518, this is a bug.
PHP Copyright © 2001-2022 The PHP Group
All rights reserved.
Last updated: Fri Oct 07 12:03:43 2022 UTC