PHP HTTP Request Smuggling Vulnerability via CRLF Injection in Stream Proxies

A vulnerability in PHP streams when using a proxy and the 'request_fulluri' option can lead to HTTP request smuggling. This issue is present in PHP versions 8.1.* prior to 8.1.31, 8.2.* prior to 8.2.26, and 8.3.* prior to 8.3.14. The vulnerability arises because the URI is not properly sanitized, allowing an attacker to inject CRLF characters. This injection can be exploited to perform arbitrary HTTP requests through the proxy, potentially accessing resources not normally available to the user.

Impact

The CRLF injection can be exploited to perform HTTP request smuggling, leading to Server Side Request Forgery (SSRF) attacks. This allows an attacker to bypass security controls, access internal endpoints, and manipulate HTTP requests to include sensitive headers such as 'Authorization' or 'Cookie'. In some cases, it may be possible to read the HTTP response from the smuggled requests.

Reproduction

To reproduce this vulnerability, configure a PHP stream context with a proxy and set the 'request_fulluri' option to true. This can be done using the 'stream_context_create' function. Once the context is set, use 'file_get_contents' to send a request with a crafted URI that includes CRLF injection. The injected characters will be interpreted by the server, leading to request smuggling.

Remediation

Users can upgrade to PHP versions 8.1.31, 8.2.26, or 8.3.14, where this vulnerability has been patched.