Analysis and Solution of PHP Vulnerability HTTP response splitting

First of all, we analyze 360 of the vulnerability page address "/?r=xxxxx" immediately can find the problem,? After the number is r=xxxx this r= is the problem, in PHP, the Get form of the request (in the link directly to the request) to filter some text to prevent intrusion, and this does not do this operation, then we found the entrance, we began to look at the code, Find $_get[' r ' in all files in the station, if you know which file your site is a problem can also go directly to search this file, the single quotation mark R is in the link? R= in the R, can be modified according to their own requirements.

Immediately found the problem:

$redirect = $_get[' R '];

The code in the picture gives the $_get[' r ' directly to the $redirect variable, simply saying that now $redirect is $_get[' R ', which is usually written in this way, of course, the name of the variable may change, and since the source of the problem is found, So let's just filter the contents of this variable.

Php

$redirect = Trim (Str_replace ("R", "", Str_replace ("RN", "", Strip_tags) (Str_replace ("'", "", Str_replace ("N", "", Str_ Replace ("", "", Str_replace ("T", "", Trim ($redirect)))));

Copy all of the above code directly to $redirect = $_get[' R '];

The following is good, now again check the site will not appear this problem, I hope we can understand, variable name according to their own needs to replace OH

HTTP response split attack

HTTP response splitting is due to an attacker's well-designed use of e-mail or links, allowing the target user to produce two responses using a single request, the previous response being the response of the server, and then the attacker's design response. This attack occurs because the Web program places the user's data in the HTTP response header, and the user's data is carefully designed by the attacker.

Functions that may be split by HTTP request responses include the following:

Header ();        Setcookie ();        session_id (); Setrawcookie ();

HTTP response splitting typically occurs when:

Location Header: Writes the consumer's data to the redirected URL address

Set-cookie Header: Write user's data into cookies

Instance:

<?php
Header ("Location:"). $_get[' page ']);
?>

Request

Get/location.php?page=http://www.00aq.com http/1.1?
Host:localhost?

?

Return

http/1.1 302 Found
date:wed, 03:44:24 GMT
server:apache/2.2.8 (WIN32) php/5.2.6
x-powered-by:php/5.2.6
Location:http://www.00aq.com
content-length:0
Keep-alive:timeout=5, max=100
Connection:keep-alive
Content-type:text/html

Access to the link below, a login window will appear directly

Http://localhost/location.php?page=%0d%0aContent-Type:%20text/html%0d%0aHTTP/1.1%20200%20OK%0d%0aContent-Type: %20text/html%0d%0acontent-length:%20158%0d%0a%0d%0a

Convert to a readable string:

Content-type:text/html

http/1.1 OK

Content-type:text/html

content-length:158

An HTTP request produced two responses