Description
Summary
An integer overflow vulnerability in PHP's built-in web server CLI SAPI allows remote attackers to trigger a DoS by sending a malicious HTTP request with an overflowed Content-Length header value. The vulnerability exists in the HTTP parser that processes Content-Length headers without proper overflow checks.
Details
The vulnerability is located in sapi/cli/php_http_parser.c:
case h_content_length:
if (ch == ' ') break;
if (ch < '0' || ch > '9') goto error;
parser->content_length *= 10; // <-- NO OVERFLOW CHECK
parser->content_length += ch - '0'; // <-- NO OVERFLOW CHECK
break;
The parser accumulates the Content-Length value digit by digit without checking for integer overflow. When an attacker sends a Content-Length header with a very large value (e.g., 50+ digits), the value wraps around due to integer overflow.
Affected Component: PHP CLI built-in web server (php -S)
Affected Versions: All versions with CLI server (PHP 5.4+)
Attack Vector: Network (remote)
Authentication: None required
PoC
-
Start PHP built-in server:
php -S localhost:8891 -t /
-
Manually with curl (limited by curl's header validation):
curl -X POST -H "Content-Length: 999999999999999999999999999999" \
-d "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" \
http://localhost:8891/
Expected Behavior:
- Server may crash due to OOM crash or process abort due to oversized memory allocation
- Server may hang or become unresponsive
Impact
This vulnerability affects any webs using PHP application running on the built-in CLI web server.
- Development environments
- Testing and staging servers
- Docker containers and microservices
Who is impacted:
- Developers using
php -S for local development
- Applications deployed with PHP built-in server in production
- Any service exposing PHP CLI server to untrusted networks
Potential Impact:
- Denial of Service (crash or hang)
PHP Version
**Affected Versions:** All versions with CLI server (PHP 5.4+)
Operating System
No response
Description
Summary
An integer overflow vulnerability in PHP's built-in web server CLI SAPI allows remote attackers to trigger a DoS by sending a malicious HTTP request with an overflowed Content-Length header value. The vulnerability exists in the HTTP parser that processes Content-Length headers without proper overflow checks.
Details
The vulnerability is located in
sapi/cli/php_http_parser.c:The parser accumulates the Content-Length value digit by digit without checking for integer overflow. When an attacker sends a Content-Length header with a very large value (e.g., 50+ digits), the value wraps around due to integer overflow.
Affected Component: PHP CLI built-in web server (
php -S)Affected Versions: All versions with CLI server (PHP 5.4+)
Attack Vector: Network (remote)
Authentication: None required
PoC
Start PHP built-in server:
Manually with curl (limited by curl's header validation):
Expected Behavior:
Impact
This vulnerability affects any webs using PHP application running on the built-in CLI web server.
Who is impacted:
php -Sfor local developmentPotential Impact:
PHP Version
Operating System
No response