Home >Backend Development >PHP Tutorial >PHP Vulnerability HTTP Response Splitting Analysis and Solutions_PHP Tutorial
In fact, the http response vulnerability is a CRLF injection attack vulnerability. The solution is relatively simple. We can basically solve it by replacing the CRLF in the header. Of course, we can also use the httpd.conf in apache with the option ServerTokens = Prod, ServerSignature = Off, php.ini in php, option expose_php = Off.
First, we analyze the vulnerability page address "/?r=XXXXX" provided by 360 and we can immediately find the problem. The ? number is followed by r=XXXX. This r= is the problem. In PHP, this GET form of request (in the link Requests that are directly displayed) generally need to filter some text to prevent intrusion, but this operation is not done. Then we find the entrance, let’s start looking at the code, and search for $_GET['r in all files in the entire site. '], if you know which file on your site has the problem, you can directly search for this file. The r in single quotes represents the r in ?r= in the link, which can be modified according to your own requirements.
The problem was discovered immediately:
$redirect = $_GET['r'];
The code in the picture directly gives $_GET['r'] to the $redirect variable. Simply put, $redirect is now $_GET['r']. Generally, it is written like this. Of course, The name of the variable may change. Now that we have found the source of the problem, we can just filter the content of this variable.
PHP
$redirect = trim(str_replace("r","",str_replace("rn","",strip_tags(str_replace("'","",str_replace("n", "", str_replace(" " ,"",str_replace("t","",trim($redirect))))),""))));
Copy all the above code directly into $redirect = $_GET['r'];
That’s it. Now check the website again and this problem will not occur. I hope everyone can understand. The variable name can be changed according to your own needs
HTTP response splitting attack
HTTP response splitting is due to the attacker's carefully designed use of emails or links to allow the target user to use one request to generate two responses. The former response is the server's response, and the latter is the response designed by the attacker. This attack occurs because the WEB program places user data in the HTTP response header, and these user data are carefully designed by the attacker.
Functions that may suffer from HTTP request response splitting include the following:
header(); setcookie(); session_id(); setrawcookie();
HTTP response splitting usually occurs at:
Location header: Write the user’s data into the redirected URL address
Set-Cookie header: Write user data into cookies
Example:
header("Location: " . $_GET['page']);
?>
Request
GET /location.php?page=http://www.00aq.com HTTP/1.1?
Host: localhost?
?
Return
HTTP/1.1 302 Found
Date: Wed, 13 Jan 2010 03:44:24 GMT
Server: Apache/2.2.8 (Win32) PHP/5.2.6
X-Powered-By: PHP/5.2.6
Location: http://www.00aq.com
Content-Length: 0
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html
Access the link below and a login window will appear directly
http://localhost/location.php?page=%0d%0aContent-Type:%20text/html%0d%0aHTTP/1.1%20200%20OK%0d%0aContent-Type:%20text/html%0d% 0aContent-Length:%20158%0d%0a%0d%0a
is converted into a readable string:
Content-Type: text/html
HTTP/1.1 200 OK
Content-Type: text/html
Content-Length: 158
One HTTP request produced two responses