Analysis and Solution of PHP Vulnerability HTTP response splitting

Source: Internet
Author: User
Tags http request trim


First of all, we analyze 360 of the vulnerability page address "/?r=xxxxx" immediately can find the problem,? After the number is r=xxxx this r= is the problem, in PHP, the Get form of the request (in the link directly to the request) to filter some text to prevent intrusion, and this does not do this operation, then we found the entrance, we began to look at the code, Find $_get[' r ' in all files in the station, if you know which file your site is a problem can also go directly to search this file, the single quotation mark R is in the link? R= in the R, can be modified according to their own requirements.

Immediately found the problem:


$redirect = $_get[' R '];

The code in the picture gives the $_get[' r ' directly to the $redirect variable, simply saying that now $redirect is $_get[' R ', which is usually written in this way, of course, the name of the variable may change, and since the source of the problem is found, So let's just filter the contents of this variable.


Php

$redirect = Trim (Str_replace ("R", "", Str_replace ("RN", "", Strip_tags) (Str_replace ("'", "", Str_replace ("N", "", Str_ Replace ("", "", Str_replace ("T", "", Trim ($redirect)))));

Copy all of the above code directly to $redirect = $_get[' R '];

The following is good, now again check the site will not appear this problem, I hope we can understand, variable name according to their own needs to replace OH


HTTP response split attack

HTTP response splitting is due to an attacker's well-designed use of e-mail or links, allowing the target user to produce two responses using a single request, the previous response being the response of the server, and then the attacker's design response. This attack occurs because the Web program places the user's data in the HTTP response header, and the user's data is carefully designed by the attacker.

Functions that may be split by HTTP request responses include the following:

Header ();        Setcookie ();        session_id (); Setrawcookie ();

HTTP response splitting typically occurs when:

Location Header: Writes the consumer's data to the redirected URL address

Set-cookie Header: Write user's data into cookies

Instance:

<?php
Header ("Location:"). $_get[' page ']);
?>

Request

Get/location.php?page=http://www.00aq.com http/1.1?
Host:localhost?

?

Return

http/1.1 302 Found
date:wed, 03:44:24 GMT
server:apache/2.2.8 (WIN32) php/5.2.6
x-powered-by:php/5.2.6
Location:http://www.00aq.com
content-length:0
Keep-alive:timeout=5, max=100
Connection:keep-alive
Content-type:text/html

Access to the link below, a login window will appear directly

Http://localhost/location.php?page=%0d%0aContent-Type:%20text/html%0d%0aHTTP/1.1%20200%20OK%0d%0aContent-Type: %20text/html%0d%0acontent-length:%20158%0d%0a%0d%0a

Convert to a readable string:

Content-type:text/html

http/1.1 OK

Content-type:text/html

content-length:158

An HTTP request produced two responses

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.