PHP Null Byte Termination Vulnerability in Hostname Handling in fsockopen()

A vulnerability exists in PHP versions 8.1.* prior to 8.1.33, 8.2.* prior to 8.2.29, 8.3.* prior to 8.3.23, and 8.4.* prior to 8.4.10. Certain functions, including fsockopen(), do not properly validate that the hostname provided contains no null characters. This lack of validation can lead to security issues, such as Server Side Request Forgery (SSRF), by allowing functions like parse_url() to interpret the hostname incorrectly. Consequently, user-implemented access checks may be bypassed.

Impact

Exploitation of this vulnerability can lead to Server Side Request Forgery, where an attacker can manipulate server-side requests to interact with internal services or resources.

Reproduction

To reproduce this vulnerability, use a PHP version that is affected by this issue. Call the fsockopen() function with a hostname that includes a null byte followed by a valid domain. The null byte will terminate the hostname at the first null character, causing the function to connect to an unintended address. This can be demonstrated by parsing a user-supplied host with parse_url(), which will incorrectly process the hostname due to the null byte, and then using fsockopen() to connect to the manipulated address, effectively performing a Server Side Request Forgery.

Remediation

Users can upgrade to PHP versions 8.1.33, 8.2.29, 8.3.23, or 8.4.10 to address this vulnerability.