php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #81680 CR-LF injection via "From" field from ini setting
Submitted: 2021-12-01 02:44 UTC Modified: 2021-12-01 10:22 UTC
Votes:1
Avg. Score:5.0 ± 0.0
Reproduced:1 of 1 (100.0%)
Same Version:1 (100.0%)
Same OS:1 (100.0%)
From: ive_jihwan at zerocution dot com Assigned:
Status: Verified Package: PHP options/info functions
PHP Version: 8.1.0 OS: *
Private report: No CVE-ID: None
View Add Comment Developer Edit
Anyone can comment on a bug. Have a simpler test case? Does it work for you on a different platform? Let us know!
Just going to say 'Me too!'? Don't clutter the database with that please — but make sure to vote on the bug!
Your email address:
MUST BE VALID
Solve the problem:
37 + 31 = ?
Subscribe to this entry?

 
 [2021-12-01 02:44 UTC] ive_jihwan at zerocution dot com 
Description:
------------
When we set "From" field by setting ini setting "from", which is used for "ftp" and "http" file wrapper, it can inject an arbitrary string in the raw socket message.

Since the injected string can contain CR-LF sequence(\r\n), this can be used to interrupt the flow of FTP stream or injecting/smuggling an outgoing HTTP request.

I attached an accepted message using netcat in listening mode (nc -l)

This is caused by missing checking CNTRLs in both of http_fopen_wrapper.c and ftp_fopen_wrapper.c

-- ftp_fopen_wrapper.c:266 --
php_stream_printf(stream, "PASS %s\r\n", FG(from_address));

must be checked using PHP_FTP_CNTRL_CHK before calling printf

and

-- http_fopen_wrapper.c:550 --
smart_str_appends(&req_buf, FG(from_address));

also must be checked with some logic before appending





Test script:
---------------
<?php

ini_set("from", "Hi\r\nInjected: I HAVE IT");
file_get_contents("http://localhost:3500");

Expected result:
----------------
Should be failed

Actual result:
--------------
Listening on 0.0.0.0 3500
Connection received on 127.0.0.1 38882
GET / HTTP/1.1
From: Hi
Injected: I HAVE IT
Host: localhost:3500
Connection: close

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2021-12-01 02:46 UTC] ive_jihwan at zerocution dot com
-Package: *General Issues +Package: PHP options/info functions
 [2021-12-01 02:46 UTC] ive_jihwan at zerocution dot com 
Change a bug package (referred #81518)
 [2021-12-01 10:22 UTC] cmb@php.net
-Status: Open +Status: Verified
 [2021-12-01 10:22 UTC] cmb@php.net 
Yeah, by the reasoning from bug #81518, this is a bug.
 [2022-12-07 05:03 UTC] ramhani14256 at gmail dot com 
Yeah, by the reasoning from bug #81518, this is a bug. PHP Copyright © 2001-2022 The PHP Group All rights reserved.

<https://www.dnahrblock.net/>github.com
 [2022-12-09 06:01 UTC] fragomenconnect145 at gmail dot com 
Since the injected string can contain CR-LF sequence(\r ), this can be used to interrupt the flow of FTP stream or injecting/smuggling an outgoing HTTP request.

<https://www.avalon-access.net/>github.com
 [2022-12-28 14:04 UTC] admin at bestcl dot com 
Hello friends check out this good references helpful free classified ads usa site (https://bestclassifiedsusa.com/)github.com
 [2023-09-28 09:34 UTC] ta dot nnaowens6 at googlemail dot com 
Thanks for sharing this, this is amazing. i like it. (https://github.com)(https://www.subwaygiftcardbalance.online/)
 [2023-10-04 09:23 UTC] Roydon5946 at gmail dot com 
This article is really amazing i hope we will see again this type of article in future. (https://github.com)(https://www.hondafinance.online/)
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Thu Apr 25 22:01:29 2024 UTC