• News
• Infocus
• Foundations
• Microsoft
• Unix
• IDS
• Incidents
• Virus
• Pen-Test
• Firewalls
• Columnists
• Mailing Lists
• Newsletters
• Bugtraq
• Focus on IDS
• Focus on Linux
• Focus on Microsoft
• Forensics
• Pen-test
• Security Basics
• Vuln Dev
• Vulnerabilities
• Jobs
• Job Opportunities
• Resumes
• Job Seekers
• Employers
• Tools
• RSS
• News
• Vulns
• Security Research

• info
• discussion
• exploit
• solution
• references

PHP Function CRLF Injection Vulnerability

PHP includes a number of functions, such as fopen() and file(), which are used to reference external resources, such as other PHP files. If the allow_url_fopen() PHP directive is enabled, these functions may be used to access resources that exist on remote hosts by supplying a URL as an argument to the function. When these functions are used to reference a remote resource, PHP constructs a request for the resource using the appropriate protocol.

A vulnerability has been discovered in PHP which may allow an attacker to add arbitrary data to headers constructed by PHP when remote resources are referenced using these functions. In this way, a PHP script which uses the vulnerable function with the allow_url_fopen() directive enabled may be turned into a proxy, since the attacker is able to construct an arbitrary header to be sent with the request. This may be accomplished by building an arbitrary header using CRLF injection.