CVE CyberSecurity Database News

CVE-2024-5458: PHP URL Validation Vulnerability in Multiple Versions Leading to Incorrect URL Parsing

Poster -

In recent discoveries, a critical vulnerability (CVE-2024-5458) has been identified in PHP versions 8.1.* prior to 8.1.29, 8.2.* prior to 8.2.20, and 8.3.* prior to 8.3.8. This issue arises from a logic error in the PHP code of filtering functions such as filter_var when validating URLs (using FILTER_VALIDATE_URL). The problem arises when these filtering functions treat certain types of invalid URLs containing user information (username and password) as valid. This can result in downstream code incorrectly accepting and parsing these invalid URLs. This post will provide an in-depth explanation of the issue, code snippets to demonstrate the problem, and references to the original sources.

Exploit Details

The root cause of this vulnerability lies in the improper validation of URLs containing invalid user information (username and password part of URLs). Instead of flagging these invalid URLs, the filter_var function used for FILTER_VALIDATE_URL allows them to pass through as valid URLs.

Code Snippet Example

Consider this example of a simple PHP script that uses filter_var to validate a URL.

<?php
$url = "https://username:password@example.com";;
$filter_options = array("options" => array(FILTER_FLAG_SCHEME_REQUIRED, FILTER_FLAG_HOST_REQUIRED));

if (filter_var($url, FILTER_VALIDATE_URL, $filter_options)) {
    echo "Valid URL";
} else {
    echo "Invalid URL";
}
?>

In the context of the vulnerability, for a URL like this

https://user@password@example.com

The filter_var function ends up treating the URL as valid, when it should be treated as invalid due to the erroneous format of the user information provided.

For more details on this vulnerability, please refer to the following original references

1. PHP Official Release Notes: PHP 8.1.29 - https://www.php.net/ChangeLog-8.php#8.1.29
2. PHP Official Release Notes: PHP 8.2.20 - https://www.php.net/ChangeLog-8.php#8.2.20
3. PHP Official Release Notes: PHP 8.3.8 - https://www.php.net/ChangeLog-8.php#8.3.8
4. CVE-2024-5458 Entry in NIST National Vulnerability Database - https://nvd.nist.gov/vuln/detail/CVE-2024-5458

Mitigation

To safeguard against this vulnerability and ensure the robustness of your code, we recommend updating to the latest PHP versions, as follows:

Conclusion

In conclusion, it is important to remain vigilant of such security vulnerabilities and be quick to adapt by updating to patched software versions to protect your code against potential problems. It is also crucial to keep an eye on official release notes, CVE entries, and security advisories to stay updated on any new developments.

Timeline

Published on: 06/09/2024 19:15:52 UTC
Last modified on: 06/18/2024 10:15:10 UTC