Bugzilla – Bug 1188037
VUL-0: CVE-2021-21705: php5,php7,php72,php74,php53: SSRF bypass in FILTER_VALIDATE_URL
Last modified: 2024-04-19 10:18:00 UTC
rh#1978755 A security issue was found in PHP in the way it allows to bypass the FILTER_VALIDATE_URL check via a crafted URL which may lead to SSRF. Reference: https://bugs.php.net/bug.php?id=81122 References: https://bugzilla.redhat.com/show_bug.cgi?id=1978755 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-21705
tracking as affected: - SUSE:SLE-11:Update/php5 - SUSE:SLE-12:Update/php5 - SUSE:SLE-11-SP3:Update/php53 - SUSE:SLE-12:Update/php7 - SUSE:SLE-15:Update/php7 - SUSE:SLE-15-SP2:Update/php7 - SUSE:SLE-12:Update/php72 - SUSE:SLE-12:Update/php74
reproduction was a bit complicated. for php7* I used: > echo '<?php echo filter_var("https://example.com:\@test.com/", FILTER_VALIDATE_URL); echo "\n";' | php For php5* I looked at the code in ext/filter/logical_filters.c and made the assessment because the code is not to different in the older versions. @Petr: let me know if you disagree.
$ cat test.php <?php $urls = array( "https://example.com:\\@test.com/", "https://user:\\epass@test.com", "https://user:\\@test.com", ); foreach ($urls as $url) { var_dump(filter_var($url, FILTER_VALIDATE_URL)); } ?> $ BEFORE $ php test.php string(31) "https://example.com:\@test.com/" string(28) "https://user:\epass@test.com" string(23) "https://user:\@test.com" $ AFTER $ php test.php bool(false) bool(false) bool(false) $
(In reply to Robert Frohl from comment #2) > reproduction was a bit complicated. > > for php7* I used: > > > echo '<?php echo filter_var("https://example.com:\@test.com/", FILTER_VALIDATE_URL); echo "\n";' | php > > > For php5* I looked at the code in ext/filter/logical_filters.c > and made the assessment because the code is not to different in the older > versions. > > @Petr: let me know if you disagree. Thanks. Yes, I agree, using also https://github.com/php/php-src/commit/4a89e726bd4d0571991dc22a9a1ad4509e8fe347
Will submit for 15sp2/php7, 15/php7, 12/php74, 12/php72, 11sp3/php53 and 11/php5.
I believe all fixed.
SUSE-SU-2021:2564-1: An update that fixes one vulnerability is now available. Category: security (moderate) Bug References: 1188037 CVE References: CVE-2021-21705 JIRA References: Sources used: SUSE Linux Enterprise Software Development Kit 12-SP5 (src): php72-7.2.5-1.63.2 SUSE Linux Enterprise Module for Web Scripting 12 (src): php72-7.2.5-1.63.2 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
openSUSE-SU-2021:2575-1: An update that fixes one vulnerability is now available. Category: security (moderate) Bug References: 1188037 CVE References: CVE-2021-21705 JIRA References: Sources used: openSUSE Leap 15.3 (src): php7-7.2.5-4.76.5
SUSE-SU-2021:2637-1: An update that fixes two vulnerabilities is now available. Category: security (important) Bug References: 1188035,1188037 CVE References: CVE-2021-21704,CVE-2021-21705 JIRA References: Sources used: SUSE Linux Enterprise Module for Web Scripting 15-SP3 (src): php7-7.4.6-3.22.1 SUSE Linux Enterprise Module for Web Scripting 15-SP2 (src): php7-7.4.6-3.22.1 SUSE Linux Enterprise Module for Packagehub Subpackages 15-SP3 (src): php7-7.4.6-3.22.1 SUSE Linux Enterprise Module for Packagehub Subpackages 15-SP2 (src): php7-7.4.6-3.22.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
openSUSE-SU-2021:2637-1: An update that fixes two vulnerabilities is now available. Category: security (important) Bug References: 1188035,1188037 CVE References: CVE-2021-21704,CVE-2021-21705 JIRA References: Sources used: openSUSE Leap 15.3 (src): php7-7.4.6-3.22.1
SUSE-SU-2021:2636-1: An update that fixes two vulnerabilities is now available. Category: security (important) Bug References: 1188035,1188037 CVE References: CVE-2021-21704,CVE-2021-21705 JIRA References: Sources used: SUSE Linux Enterprise Software Development Kit 12-SP5 (src): php74-7.4.6-1.24.1 SUSE Linux Enterprise Module for Web Scripting 12 (src): php74-7.4.6-1.24.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
openSUSE-SU-2021:1130-1: An update that fixes two vulnerabilities is now available. Category: security (important) Bug References: 1188035,1188037 CVE References: CVE-2021-21704,CVE-2021-21705 JIRA References: Sources used: openSUSE Leap 15.2 (src): php7-7.4.6-lp152.2.18.1, php7-test-7.4.6-lp152.2.18.1
Done, closing.