Home >Backend Development >PHP Tutorial >PHP Vulnerability HTTP Response Splitting Analysis and Solutions_PHP Tutorial

PHP Vulnerability HTTP Response Splitting Analysis and Solutions_PHP Tutorial

WBOY
WBOYOriginal
2016-07-13 17:11:251276browse

In fact, the http response vulnerability is a CRLF injection attack vulnerability. The solution is relatively simple. We can basically solve it by replacing the CRLF in the header. Of course, we can also use the httpd.conf in apache with the option ServerTokens = Prod, ServerSignature = Off, php.ini in php, option expose_php = Off.


First, we analyze the vulnerability page address "/?r=XXXXX" provided by 360 and we can immediately find the problem. The ? number is followed by r=XXXX. This r= is the problem. In PHP, this GET form of request (in the link Requests that are directly displayed) generally need to filter some text to prevent intrusion, but this operation is not done. Then we find the entrance, let’s start looking at the code, and search for $_GET['r in all files in the entire site. '], if you know which file on your site has the problem, you can directly search for this file. The r in single quotes represents the r in ?r= in the link, which can be modified according to your own requirements.

The problem was discovered immediately:


$redirect = $_GET['r'];

The code in the picture directly gives $_GET['r'] to the $redirect variable. Simply put, $redirect is now $_GET['r']. Generally, it is written like this. Of course, The name of the variable may change. Now that we have found the source of the problem, we can just filter the content of this variable.


PHP

$redirect = trim(str_replace("r","",str_replace("rn","",strip_tags(str_replace("'","",str_replace("n", "", str_replace(" " ,"",str_replace("t","",trim($redirect))))),""))));

Copy all the above code directly into $redirect = $_GET['r'];

That’s it. Now check the website again and this problem will not occur. I hope everyone can understand. The variable name can be changed according to your own needs


HTTP response splitting attack

HTTP response splitting is due to the attacker's carefully designed use of emails or links to allow the target user to use one request to generate two responses. The former response is the server's response, and the latter is the response designed by the attacker. This attack occurs because the WEB program places user data in the HTTP response header, and these user data are carefully designed by the attacker.

Functions that may suffer from HTTP request response splitting include the following:

header(); setcookie(); session_id(); setrawcookie();

HTTP response splitting usually occurs at:

Location header: Write the user’s data into the redirected URL address

Set-Cookie header: Write user data into cookies

Example:

header("Location: " . $_GET['page']);
?>

Request

GET /location.php?page=http://www.00aq.com HTTP/1.1?
Host: localhost?

?

Return

HTTP/1.1 302 Found
Date: Wed, 13 Jan 2010 03:44:24 GMT
Server: Apache/2.2.8 (Win32) PHP/5.2.6
X-Powered-By: PHP/5.2.6
Location: http://www.00aq.com
Content-Length: 0
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html

Access the link below and a login window will appear directly

http://localhost/location.php?page=%0d%0aContent-Type:%20text/html%0d%0aHTTP/1.1%20200%20OK%0d%0aContent-Type:%20text/html%0d% 0aContent-Length:%20158%0d%0a%0d%0aAccount%20Password%20

is converted into a readable string:

Content-Type: text/html

HTTP/1.1 200 OK

Content-Type: text/html

Content-Length: 158

Account
Password

One HTTP request produced two responses

www.bkjia.comtruehttp: //www.bkjia.com/PHPjc/629606.htmlTechArticleIn fact, the http response vulnerability is a CRLF injection attack vulnerability. The solution is relatively simple. We only need to replace the header. CRLF can basically be solved, of course it can also be done in apache htt...
Statement:
The content of this article is voluntarily contributed by netizens, and the copyright belongs to the original author. This site does not assume corresponding legal responsibility. If you find any content suspected of plagiarism or infringement, please contact admin@php.cn