PHP vulnerability HTTP response splitting analysis and solution _ PHP Tutorial

Analysis and solution of HTTP response splitting for PHP vulnerabilities. In fact, the http response vulnerability is the CRLF Injection Vulnerability. the solution is relatively simple. we only need to replace the CRLF in the header to solve the problem, of course, you can also use htt in apache. In fact, the http response vulnerability is the CRLF Injection Attack Vulnerability. the solution is relatively simple. we only need to replace the CRLF in the header to solve the problem, of course, you can also use httpd in apache. conf, options ServerTokens = Prod, ServerSignature = Off, php. ini, option expose_php = Off.

First, we analyze the vulnerability page address provided in Section 360 "/? R = XXXXX "The problem can be found immediately ,? The number is followed by r = XXXX. the r = is the problem. in PHP, this GET request (a request directly displayed in the link) generally, some text should be filtered to prevent intrusion, and this operation is not performed. so we can find the entry and start to view the code, search for $ _ GET ['R'] in all files on the site. if you know which file on your site is faulty, you can search for this file directly, in single quotes, r represents the link? R =, which can be modified as required.

The problem was immediately discovered:

$ Redirect = $ _ GET ['R'];

The code in the image directly gives $ _ GET ['R'] to the $ redirect variable. In short, $ redirect is now $ _ GET ['R, generally, this is the case. of course, the variable name may change. since the source of the problem is found, we only need to filter the content of the variable.

PHP

$ Redirect = trim (str_replace ("r", "", str_replace ("rn", "", strip_tags (str_replace ("'", "", str_replace ("n ", "", str_replace ("", "", str_replace ("t", "", trim ($ redirect ))))),""))));

Directly copy all the above code to $ redirect =$ _ GET ['R'];

Now, check the website again to avoid this problem. I hope you can understand it. the variable name can be changed as needed.

HTTP response splitting attack

HTTP response splitting is because the attacker has carefully designed and used emails or links to allow the target user to use one request to generate two responses. the previous response is the server response, the other is the response designed by the attacker. This attack occurs because the WEB program places user data in the HTTP response header, which is specially designed by attackers.

Functions that may suffer from HTTP request response splitting include:

Header (); setcookie (); session_id (); setrawcookie ();

HTTP response splitting usually occurs in:

Location header: write user data into the redirected URL

Set-Cookie header: write user data into cookies

Instance:

Header ("Location:". $ _ GET ['Page']);
?>

Request

GET/location. php? Page = http://www.00aq.com HTTP/1.1?
Host: localhost?

?

Return

HTTP/1.1 302 Found
Date: Wed, 13 Jan 2010 03:44:24 GMT
Server: Apache/2.2.8 (Win32) PHP/5.2.6
X-Powered-By: PHP/5.2.6
Location: http://www.00aq.com
Content-Length: 0
Keep-Alive: timeout = 5, max = 100
Connection: Keep-Alive
Content-Type: text/html

Access the following link and a login window will appear.

Http: // localhost/location. php? Page = % 0d % 0aContent-Type: % 20 text/html % 0d % 0 aHTTP/1.1% 20200% 20OK % 0d % 0aContent-Type: % 20 text/html % 0d % 0aContent-Length: % 20158% 0d % 0a % 0d % 0a

Convert to a readable string:

Content-Type: text/html

HTTP/1.1 200 OK

Content-Type: text/html

Content-Length: 158

An HTTP request generates two responses.

The CRLF Injection attack vulnerability has been solved. the solution is relatively simple. we only need to replace the CRLF in the header to solve the problem. of course, we can also use htt in apache...