First of all, we analyze 360 of the vulnerability page address "/?r=xxxxx" immediately can find the problem,? After the number is r=xxxx this r= is the problem, in PHP, the Get form of the request (in the link directly to the request) to filter some text to prevent intrusion, and this does not do this operation, then we found the entrance, we began to look at the code, Find $_get[' r ' in all files in the station, if you know which file your site is a problem can also go directly to search this file, the single quotation mark R is in the link? R= in the R, can be modified according to their own requirements.
Immediately found the problem:
$redirect = $_get[' R '];
The code in the picture gives the $_get[' r ' directly to the $redirect variable, simply saying that now $redirect is $_get[' R ', which is usually written in this way, of course, the name of the variable may change, and since the source of the problem is found, So let's just filter the contents of this variable.
Php
$redirect = Trim (Str_replace ("R", "", Str_replace ("RN", "", Strip_tags) (Str_replace ("'", "", Str_replace ("N", "", Str_ Replace ("", "", Str_replace ("T", "", Trim ($redirect)))));
Copy all of the above code directly to $redirect = $_get[' R '];
The following is good, now again check the site will not appear this problem, I hope we can understand, variable name according to their own needs to replace OH
HTTP response split attack
HTTP response splitting is due to an attacker's well-designed use of e-mail or links, allowing the target user to produce two responses using a single request, the previous response being the response of the server, and then the attacker's design response. This attack occurs because the Web program places the user's data in the HTTP response header, and the user's data is carefully designed by the attacker.
Functions that may be split by HTTP request responses include the following:
Header (); Setcookie (); session_id (); Setrawcookie ();
HTTP response splitting typically occurs when:
Location Header: Writes the consumer's data to the redirected URL address
Set-cookie Header: Write user's data into cookies
Instance:
<?php
Header ("Location:"). $_get[' page ']);
?>
Request
Get/location.php?page=http://www.00aq.com http/1.1?
Host:localhost?
?
Return
http/1.1 302 Found
date:wed, 03:44:24 GMT
server:apache/2.2.8 (WIN32) php/5.2.6
x-powered-by:php/5.2.6
Location:http://www.00aq.com
content-length:0
Keep-alive:timeout=5, max=100
Connection:keep-alive
Content-type:text/html
Access to the link below, a login window will appear directly
Http://localhost/location.php?page=%0d%0aContent-Type:%20text/html%0d%0aHTTP/1.1%20200%20OK%0d%0aContent-Type: %20text/html%0d%0acontent-length:%20158%0d%0a%0d%0a
Convert to a readable string:
Content-type:text/html
http/1.1 OK
Content-type:text/html
content-length:158
An HTTP request produced two responses