#VU49338 Input validation error in PHP


Published: 2021-01-07 | Updated: 2023-10-27

Vulnerability identifier: #VU49338

Vulnerability risk: Medium

CVSSv3.1: 4.8 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N/E:P/RL:O/RC:C]

CVE-ID: CVE-2020-7071

CWE-ID: CWE-20

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
PHP
Universal components / Libraries / Scripting languages

Vendor: PHP Group

Description

The vulnerability allows a remote attacker to bypass implemented security restrictions.

The vulnerability exists due to insufficient validation of URL performed via the "FILTER_VALIDATE_URL" setting. A remote attacker can use the "@" characters in the URL to bypass implemented filter and force the application to accept arbitrary URL instead of the defined by the option.

Example:

http://evel.website@trusted.website

Mitigation
Install updates from vendor's website.

Vulnerable software versions

PHP: 7.4 - 7.4.13, 7.3 - 7.3.25, 8.0.0

External links
http://www.php.net/ChangeLog-7.php#7.4.14
http://www.php.net/ChangeLog-7.php#7.3.26
http://bugs.php.net/bug.php?id=77423
http://www.php.net/ChangeLog-8.php#8.0.1

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.


Latest bulletins with this vulnerability


Juniper Junos OS J-Web update for PHP
SUSE update for php7
SUSE update for php74
Red Hat Software Collections update for rh-php73-php
Multiple vulnerabilities in Tenable.sc
Ubuntu update for php5
Ubuntu update for php7.2
Arch Linux update for php7
Arch Linux update for php
Gentoo update for PHP