CVE-2024-11234 - URI Sanitization Vulnerability in PHP Streams Allowing HTTP Request Smuggling

CVE-2024-11234 is a recently discovered vulnerability that affects several versions of PHP, including 8.1.* before 8.1.31, 8.2.* before 8.2.26, and 8.3.* before 8.3.14. This vulnerability stems from the incorrect sanitization of URIs when using PHP streams with a configured proxy and the "request_fulluri" option. As a result, an attacker may exploit this vulnerability to perform HTTP request smuggling, allowing them to use the proxy to make arbitrary HTTP requests that appear to originate from the server. This exposes the server's private resources to the external user, thereby potentially compromising sensitive information.

Code Snippet

The vulnerable code is located in the PHP source file ext/standard/http_fopen_wrapper.c. Specifically, the vulnerability occurs when the function php_stream_url_wrap_http_ex combines the protocol, hostname, and port number with the original URI. This combination allows an attacker to inject newline characters in the URI, leading to HTTP request smuggling.

/* ext/standard/http_fopen_wrapper.c */
static php_stream *php_stream_url_wrap_http_ex(const char *path, const char *mode, int options, php_stream_context *context, size_t max_redirects, size_t max_directs, const char *proxy_username, const char *proxy_password, const char *proxy_proto) {
  ...
  if (context && (tmpzval = php_stream_context_get_option(context, "http", "request_fulluri")) != NULL && Z_TYPE_P(tmpzval) == IS_STRING) {
      efree(buf);
      buf = strpprintf(, "GET %s HTTP/%s", Z_STRVAL_P(tmpzval), reqok ? "1.1" : "1.");
      request_fulluri = 1;
    } else {
      snprintf(req_line, sizeof(req_line), "GET %s%s%s HTTP/%s", fullurl_file, (query && *query ? "?" : ""), (query && *query ? query : ""), reqok ? "1.1" : "1.");
      efree(buf);
      buf = estrdup(req_line);
  }
  ...
}

Exploit Details

To exploit this vulnerability, an attacker needs to send a maliciously crafted URI containing newline characters and any HTTP request headers. The attacker can then use this URI to perform unauthorized HTTP requests through the server's proxy.

For example, an attacker could craft a URI like this

http://example.com/%d%aInject-Header: value/

When the vulnerable server processes this URI, it might generate an HTTP request like this

GET http://example.com/%d%aInject-Header: value/ HTTP/1.1
Host: example.com
...

This request could be used to perform a variety of attacks, including requests to internal resources and SSRF attacks. This can leak sensitive data and allow for unauthorized actions to be taken on the server.

For more information on this vulnerability and its impact, please refer to the following resources

1. PHP Bug Report: https://bugs.php.net/bug.php?id=xxxxx
2. CVE Details: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-11234
3. National Vulnerability Database: https://nvd.nist.gov/vuln/detail/CVE-2024-11234

Conclusion

CVE-2024-11234 is a serious vulnerability that affects several PHP versions. It enables attackers to use the server's proxy to make arbitrary HTTP requests, potentially exposing sensitive resources and information on the server. All users of affected PHP versions are strongly encouraged to upgrade their installations to the latest patched versions in order to mitigate this vulnerability.

Timeline

Published on: 11/24/2024 01:15:03 UTC
Last modified on: 11/26/2024 19:06:10 UTC