Bugzilla – Bug 1168352
VUL-1: CVE-2020-7066: php72,php7: URL truncation if the URL contains zero (\0) character
Last modified: 2020-07-10 09:35:32 UTC
CVE-2020-7066 In PHP versions 7.2.x below 7.2.9, 7.3.x below 7.3.16 and 7.4.x below 7.4.34, while using get_headers() with user-supplied URL, if the URL contains zero (\0) character, the URL will be silently truncated at it. This may cause some software to make incorrect assumptions about the target of the get_headers() and possibly send some information to a wrong server. References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-7066 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7066 https://bugs.php.net/bug.php?id=79329
It seems that only our version 7.2 and above are affected. The fix can be found at [1]. I could not locate a test case in the commit. Tracked as affected the following: php7 --> SLE15 and SLE15-SP2 php72 --> SLE12 Factory is not affected since 7.4.4 version is shipped which contains the fix. The reproducer that I attached only works in the affected versions mentioned above. php $POC (in a vulnerable version) OUTPUT PHP Warning: get_headers(): php_network_getaddresses: getaddrinfo failed: Name or service not known in /home/alex/bug2 on line 9 PHP Warning: get_headers(http://example): failed to open stream: php_network_getaddresses: getaddrinfo failed: Name or service not known in /home/alex/bug2 on line 9 bool(false) php $POC (in version 7.4.4) OUTPUT PHP Warning: get_headers() expects parameter 1 to be a valid path, string given in /home/tumble/bug2.php on line 9 NULL [1] http://git.php.net/?p=php-src.git;a=commit;h=0d139c5b94a5f485a66901919e51faddb0371c43
Created attachment 834564 [details] POC
Thanks for the evaluation. I know from the similar string x path issues from the past that they very often last from the far history. I agree with the reporter, the get_headers() issue is there from the day one (tm). The original test does something more, but, for exhibiting the bug in get_headers(), following code is sufficient: BEFORE $ cat test.php <?php $_GET['url'] = "http://localhost\0.example.com"; $headers = get_headers($_GET['url']); var_dump($headers); ?> $ php test.php PHP Warning: get_headers(http://localhost): failed to open stream: Connection refused in /168532/test.php on line 3 bool(false) $ In case I am correct, all code streams are affected. After the patch we get, as you already noted, message similar to: AFTER $ php test.php PHP Warning: get_headers() expects parameter 1 to be a valid path, string given in /168532/test.php on line 9 NULL $ For 5.3 and 5.2 we get just: $ php test.php bool(false) $
Packages submitted for: 15sp2/php7, 15/php7, 12/php72, 12/php5, 11sp3/php53, 11/php5, 10sp3/php5 and devel:languages:php:php56/php5.
I believe all fixed.
An update workflow for this issue was started. This issue was rated as moderate. Please submit fixed packages until 2020-05-18. When done, reassign the bug to security-team@suse.de. https://swamp.suse.de/webswamp/wf/64435
SUSE-SU-2020:1199-1: An update that fixes two vulnerabilities is now available. Category: security (moderate) Bug References: 1168326,1168352 CVE References: CVE-2020-7064,CVE-2020-7066 Sources used: SUSE Linux Enterprise Module for Web Scripting 15-SP1 (src): php7-7.2.5-4.55.7, tidy-5.4.0-3.2.1 SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (src): php7-7.2.5-4.55.7, tidy-5.4.0-3.2.1 SUSE Linux Enterprise Module for Development Tools 15-SP1 (src): tidy-5.4.0-3.2.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
openSUSE-SU-2020:0642-1: An update that fixes two vulnerabilities is now available. Category: security (moderate) Bug References: 1168326,1168352 CVE References: CVE-2020-7064,CVE-2020-7066 Sources used: openSUSE Leap 15.1 (src): php7-7.2.5-lp151.6.25.1, php7-test-7.2.5-lp151.6.25.1, tidy-5.4.0-lp151.3.3.1
SUSE-SU-2020:1546-1: An update that fixes three vulnerabilities is now available. Category: security (moderate) Bug References: 1168326,1168352,1171999 CVE References: CVE-2019-11048,CVE-2020-7064,CVE-2020-7066 Sources used: SUSE Linux Enterprise Software Development Kit 12-SP5 (src): php72-7.2.5-1.46.1 SUSE Linux Enterprise Software Development Kit 12-SP4 (src): php72-7.2.5-1.46.1 SUSE Linux Enterprise Module for Web Scripting 12 (src): php72-7.2.5-1.46.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2020:1714-1: An update that fixes three vulnerabilities is now available. Category: security (moderate) Bug References: 1168326,1168352,1171999 CVE References: CVE-2019-11048,CVE-2020-7064,CVE-2020-7066 Sources used: SUSE Linux Enterprise Software Development Kit 12-SP4 (src): php5-5.5.14-109.76.1 SUSE Linux Enterprise Module for Web Scripting 12 (src): php5-5.5.14-109.76.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.