PHP vulnerability solution (8)-HTTP Response Splitting

HTTP request format

1) Request information: for example, "Get/index. php HTTP/1.1", request the index. php file

2) header: for example, "Host: localhost", indicating the server address

3) blank lines

4) information body

Both "Request Information" and "Header" must end with the line break character CRLF. blank lines can only contain line breaks, but cannot contain other space characters.

The following example shows how to send an HTTP request to the server www.yhsafe.com.

GET/index. php HTTP/1.1 // request information

Host: www.yhsafe.com // Header

// A space line symbol indicates the Enter key. After a blank line is entered, an HTTP request will be sent by pressing a space. In the HTTP Request Header, only the Host header is required to be hungry, the rest of the HTTP headers are determined based on the content of the HTTP request. HTTP Request Method 1) GET: Request Response 2) HEAD: Same as GET, only request header 3) POST: send data to the server for processing, data is included in the HTTP message body. 4) PUT: upload a file. 5) DELETE: DELETE a file. 6) TRACE: track received requests. 7) OPTIONS: return the HTTP Request Method supported by the server. 8) CONNECT: the server sends the following response after processing the HTTP request submitted by the client. 1) The first line is the status code. 2) the second line starts with other information. The status code contains a number indicating the status and a word describing the status. For example, HTTP/1.1 200 OK200 indicates a number indicating the status, and OK indicates a word describing the status. This status code indicates that the request is successful.

Example of HTTP request and response

Open cmd, input telnet, and enter open www.00aq.com 80

Enter

Getindex. php HTTP/1.1

Host: www.00aq.com

Returns the HTTP response header.

Returned homepage content

Use PHP to send HTTP requests

The header function can be used to send HTTP request and response headers.

Function prototype

Void header (string [, bool replace [, int http_response_code])

String is the string of the HTTP header.

If replace is TRUE, it indicates that similar headers are replaced with the current header. If replace is FALSE, multiple similar headers are used. The default value is TRUE.

Http_response_code is used to force the HTTP response code to use the value of http_response_code.

Instance:

 
 

  
  
 
  
  
// Enable the Internet socket connection
  
  
$ Fp = fsockopen (www.00aq.com, 80 );
  
  
// Write the HTTP Request Header
  
  
Fputs ($ fp, "GET/HTTP/1.1 \ r \ n ");
  
  
Fputs ($ fp, "Host: www.00aq.com \ r \ n ");
  
  
// The HTTP Response string
  
  
$ Http_response = "";
  
  
While (! Feof ($ fp ))
  
  
{
  
  
// Read the 256-bit HTTP Response string
  
  
$ Http_response. = fgets ($ fp ,);
  
  
}
  
  
// Disable the Internet socket connection
  
  
Fclose ($ fp );
  
  
// Display HTTP Response Information
  
  
Echo nl2br (htmlentities ($ http_response ));
  
  
?>
 
 

HTTP response splitting attack

HTTP response splitting is because the attacker has carefully designed and used emails or links to allow the target user to use one request to generate two responses. The previous response is the server response, the other is the response designed by the attacker. This attack occurs because the WEB program places user data in the HTTP Response Header, which is specially designed by attackers.

Functions that may suffer from HTTP Request Response Splitting include:

Header (); setcookie (); session_id (); setrawcookie ();

HTTP Response Splitting usually occurs in:

Location header: write user data into the redirected URL

Set-Cookie header: write user data into cookies

Instance:

 
 

  
  
 
  
  
    header("Location: " . $_GET['page']); 
  
  
?> 
 
 

Request

GET/location. php? Page = http://www.00aq.com HTTP/1.1

Host: localhost

Return

HTTP/1.1 302 Found

Date: Wed, 13 Jan 2010 03:44:24 GMT

Server: Apache/2.2.8 (Win32) PHP/5.2.6

X-Powered-By: PHP/5.2.6

Location: http://www.00aq.com

Content-Length: 0

Keep-Alive: timeout = 5, max = 100

Connection: Keep-Alive

Content-Type: text/html

Access the following link and a login window will appear.

Http: // localhost/location. php? Page = % 0d % 0aContent-Type: % 20 text/html % 0d % 0 aHTTP/1.1% 20200% 20OK % 0d % 0aContent-Type: % 20 text/html % 0d % 0aContent-Length: % 20158% 0d % 0a % 0d % 0a

Convert to a readable string:

Content-Type: text/html

HTTP/1.1 200 OK

Content-Type: text/html

Content-Length: 158

An HTTP request generates two responses.

Defense methods:

1) Replace the CRLF line feed character

 
 

  
  
 
  
  
    header("Location: " . strtr($_GET['page'], array("\r"=>"",    "\n"=>""))); 
  
  
?> 
 
 

2) use the latest PHP version.

In the latest PHP version, line breaks are no longer allowed in the HTTP header.

Hide the HTTP Response Header

In apache, httpd. conf, ServerTokens = Prod, ServerSignature = Off

Php. ini in php, option expose_php = Off