PHP Vulnerability HTTP response split analysis and workaround _php Tutorial

In fact, the HTTP response vulnerability is CRLF injection attack vulnerability, the solution is relatively simple we just replace the header in the CRLF basic can be resolved, of course, can also be httpd.conf in apache, option Servertokens = Prod, Serversignature = off,php in php.ini, option expose_php = Off.

First, we analyze the 360 vulnerability page address "/?r=xxxxx" immediately to find the problem,? After the number is r=xxxx this r= is the problem, in PHP, this GET form of the request (in the link directly shown in the request) is generally to filter some text to prevent intrusion, and this does not do this operation, then we found the entrance, we began to look at the code, Find $_get[' r ' in all files in the whole station, if you know which file of your site is a problem can also go directly to search this file, the single quotation mark in the R for the link? r=, can be modified according to their own requirements.

Immediately found the problem:

$redirect = $_get[' R '];

The code in the picture put $_get[' r ' directly to the $redirect variable, simply say now $redirect is $_get[' R '), the general situation is to write this, of course, the name of the variable may change, since the source of the problem has been found, Then we just have to filter the contents of this variable just fine.

Php

$redirect = Trim (Str_replace ("R", "", Str_replace ("RN", "", Strip_tags (Str_replace ("" "," ", Str_replace (" N "," ", Str_ Replace ("", "", Str_replace ("T", "" ", Trim ($redirect)))))));

Copy all of the above code directly to $redirect = $_get[' R ');

The following is good, and now check the site again will not appear this problem, I hope you can understand, variable name according to their own needs to replace OH

HTTP response split attack

The HTTP response split is due to an attacker's well-designed use of e-mail or links to allow the target user to generate two responses with one request, the previous response being the server's response, and the second being the attacker's designed response. This attack occurs because the Web program places the consumer's data in the HTTP response header, and the data of those users is well-designed by an attacker.

The functions that may be affected by the HTTP request response split include the following:

Header (); Setcookie (); session_id (); Setrawcookie ();

The HTTP response split typically occurs in:

Location Header: Writes the consumer's data to the redirected URL address

Set-cookie Header: Write user data to cookies

Instance:

Header ("Location:".) $_get[' page ']);
?>

Request

Get/location.php?page=http://www.00aq.com http/1.1?
Host:localhost?

?

Return

http/1.1 302 Found
date:wed, Jan 03:44:24 GMT
server:apache/2.2.8 (WIN32) php/5.2.6
x-powered-by:php/5.2.6
Location:http://www.00aq.com
content-length:0
Keep-alive:timeout=5, max=100
Connection:keep-alive
Content-type:text/html

Visit the link below and a login window will appear directly

Http://localhost/location.php?page=%0d%0aContent-Type:%20text/html%0d%0aHTTP/1.1%20200%20OK%0d%0aContent-Type: %20text/html%0d%0acontent-length:%20158%0d%0a%0d%0a

Convert to a readable string:

Content-type:text/html

http/1.1 OK

Content-type:text/html

content-length:158

An HTTP request produced two responses

http://www.bkjia.com/PHPjc/629606.html www.bkjia.com true http://www.bkjia.com/PHPjc/629606.html techarticle In fact, the HTTP response vulnerability is CRLF injection attack vulnerability, the solution is relatively simple we just replace the header in the CRLF basic can be resolved, of course, also can be in Apache ...

