Edit report at https://bugs.php.net/bug.php?id=64457&edit=1
ID: 64457
Updated by: ras...@php.net
Reported by: d...@php.net
Summary: HTTP_HOST, SERVER_NAME, SERVER_PORT spoofing
-Status: Open
+Status: Analyzed
Type: Bug
Package: Apache2 related
Operating System: All
PHP Version: Irrelevant
Block user comment: N
Private report: N
New Comment:
But how is this a PHP issue? PHP doesn't set the $_SERVER['HTTP_*"] variables
at
all. They are inherited directly from the web server and are the same variables
that the web server would set for CGI scripts that might get executed. So while
we could try to do some analysis and filtering at the PHP level, anything else
the web server invokes would still be getting the spoofed port. The fix should
be
at the web server level.
Previous Comments:
------------------------------------------------------------------------
[2013-03-19 19:03:42] d...@php.net
Description:
------------
`HTTP_HOST` is the value from `Host` header, which can, naturally, be spoofed.
On the other hand, `SERVER_NAME` and `SERVER_PORT` should reflect real values.
I've tested some configurations and on majority you can at least change/spoof
`SERVER_PORT`.
This can lead to security issues since these environment variables are often
trusted.
Test script:
---------------
<?php
$ch = curl_init('http://smchiptuning.com/http_host.php');
curl_setopt($ch, CURLOPT_HTTPHEADER, array('Host: 127.0.0.1:1337'));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 1);
echo curl_exec($ch);
curl_close($ch);
/**
http_host.php
<?php
var_dump($_SERVER['SERVER_NAME'], $_SERVER['SERVER_PORT']);
*/
Expected result:
----------------
string(16) "smchiptuning.com" string(2) "80"
Actual result:
--------------
string(9) "127.0.0.1" string(4) "1337"
------------------------------------------------------------------------
--
Edit this bug report at https://bugs.php.net/bug.php?id=64457&edit=1
