CRLF Injection in phpservermon/phpservermon

Valid

Reported on

Nov 19th 2021


Description

misconfig of nginx lead to crlf injection

In nginx, $uri is url decoded, which will decode %0d%0a to CRLF.

code:

return 301 http://<%= @server_name[0].gsub(/^www\./, '') %>$uri;

Proof of Concept

A request to:

http://www.test.com/%0d%0afake_header:123%0d%0a%0d%0afake_content

Impact

CRLF Injection allows an attacker to inject client-side malicious scripts (E.g. Cross site scripting) to disclose information. An attacker can gain sensitive information like CSRF token and allow the attacker to set fake cookies.

We are processing your report and will contact the phpservermon team within 24 hours. a year ago
We have contacted a member of the phpservermon team and are waiting to hear back a year ago
We have sent a follow up to the phpservermon team. We will try again in 7 days. a year ago
We have sent a second follow up to the phpservermon team. We will try again in 10 days. a year ago
We have sent a third and final follow up to the phpservermon team. This report is now considered stale. a year ago
Tim Zandbergen validated this vulnerability a year ago
pupu.eth has been awarded the disclosure bounty
The fix bounty is now up for grabs
Tim Zandbergen marked this as fixed in 3.6.0 with commit 162bba a year ago
Tim Zandbergen has been awarded the fix bounty
This vulnerability will not receive a CVE
Tim Zandbergen
a year ago

Maintainer


Thanks for notifying. Fixed by removing PuPHPet and updating Vagrant. I would consider the scope of this vulnerability to be low because the Vagrant environment is meant for development only.

to join this conversation