CVE-2024-11234
📋 TL;DR
This PHP vulnerability allows attackers to perform HTTP request smuggling when using streams with proxy configurations and the 'request_fulluri' option. It enables attackers to make arbitrary HTTP requests originating from the server, potentially accessing internal resources. Affects PHP 8.1.* before 8.1.31, 8.2.* before 8.2.26, and 8.3.* before 8.3.14.
💻 Affected Systems
- PHP
📦 What is this software?
Php by Php
Php by Php
Php by Php
⚠️ Risk & Real-World Impact
Worst Case
Attacker gains access to internal HTTP resources behind the proxy, potentially accessing sensitive internal systems, APIs, or services that should not be externally accessible.
Likely Case
Attacker uses the vulnerable server as a proxy to scan internal networks, access internal web applications, or interact with internal APIs, leading to information disclosure.
If Mitigated
Limited impact due to network segmentation, proper proxy authentication, or restricted internal resource access controls.
🎯 Exploit Status
Exploitation requires specific PHP stream proxy configuration. No public exploit code available at this time.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: PHP 8.1.31, 8.2.26, 8.3.14
Vendor Advisory: https://github.com/php/php-src/security/advisories/GHSA-c5f2-jwm7-mmq2
Restart Required: Yes
Instructions:
1. Identify PHP version with 'php -v'. 2. Update PHP using your package manager: 'apt update && apt upgrade php' (Debian/Ubuntu) or 'yum update php' (RHEL/CentOS). 3. Restart web server: 'systemctl restart apache2' or 'systemctl restart nginx'. 4. Verify update with 'php -v'.
🔧 Temporary Workarounds
Disable request_fulluri option
allDisable the 'request_fulluri' option in PHP stream contexts when using proxy configurations
stream_context_set_option($context, 'http', 'request_fulluri', false);
Remove proxy configuration
allRemove or disable proxy configurations for PHP streams if not required
Remove 'proxy' settings from php.ini or stream context configurations
🧯 If You Can't Patch
- Implement network segmentation to restrict PHP server access to internal resources
- Configure web application firewall (WAF) to detect and block HTTP request smuggling attempts
🔍 How to Verify
Check if Vulnerable:
Check PHP version with 'php -v' and verify if it's in affected range. Check if 'request_fulluri' is enabled in proxy stream contexts.Check Version:
php -v | grep 'PHP'Verify Fix Applied:
Verify PHP version is 8.1.31+, 8.2.26+, or 8.3.14+ with 'php -v'. Test proxy stream functionality with request_fulluri disabled.📡 Detection & Monitoring
Log Indicators:
- Unusual HTTP requests originating from PHP server to internal resources
- Multiple failed proxy authentication attempts
- HTTP requests with malformed URIs in proxy logs
Network Indicators:
- PHP server making unexpected HTTP requests to internal systems
- HTTP traffic patterns suggesting request smuggling
SIEM Query:
source="php_error.log" AND ("proxy" OR "request_fulluri") AND ("error" OR "warning")