Plateforme
php
Composant
php
Corrigé dans
7.2.1
7.3.1
7.4.1
CVE-2020-7066 is a vulnerability affecting PHP versions 7.2.x, 7.3.x, and 7.4.x. When using the get_headers() function with user-supplied URLs containing zero characters (\0), the URL is silently truncated. This can lead to software making incorrect assumptions about the target URL and potentially sending information to the wrong server, leading to unintended data exposure or misdirection.
The primary impact of CVE-2020-7066 lies in the potential for attackers to manipulate the target of getheaders() requests. By injecting zero characters into a user-controlled URL passed to getheaders(), an attacker can truncate the URL, effectively changing the destination. This could lead to sensitive data being sent to an attacker-controlled server instead of the intended recipient. For example, an application using getheaders() to verify the legitimacy of a URL might be tricked into accepting a malicious URL due to the truncation. The blast radius is dependent on the application's usage of the getheaders() function and the sensitivity of the data being handled. While not a direct remote code execution vulnerability, the misdirection of requests can have significant consequences depending on the application's functionality.
CVE-2020-7066 was published on April 1, 2020. Its severity is pending further evaluation, but currently rated as MEDIUM (CVSS 5.3). There are no known public exploits or active campaigns targeting this vulnerability at the time of writing. It is not currently listed on CISA’s Known Exploited Vulnerabilities catalog. While a POC is not widely available, the vulnerability's nature makes it relatively straightforward to demonstrate, increasing the likelihood of future exploitation.
Statut de l'Exploit
EPSS
1.53% (percentile 81%)
Vecteur CVSS
The recommended mitigation for CVE-2020-7066 is to upgrade to PHP version 7.4.4 or later, which contains the fix. If upgrading is not immediately feasible, consider implementing input validation on URLs passed to getheaders(). Specifically, sanitize user-supplied URLs to remove or escape zero characters (\0). Web application firewalls (WAFs) can be configured to detect and block requests containing suspicious URL patterns. Additionally, review application code that utilizes getheaders() to ensure proper error handling and validation of the returned headers to prevent unexpected behavior. After upgrading, confirm the fix by attempting to use get_headers() with a URL containing a zero character; the URL should not be truncated.
Actualice a la versión 7.2.29, 7.3.16 o 7.4.4 de PHP, o superior, según corresponda a su versión actual. Esto corregirá la vulnerabilidad que permite la truncación de URLs al usar la función get_headers() con URLs proporcionadas por el usuario que contengan caracteres nulos.
Analyses de vulnérabilités et alertes critiques directement dans votre boîte mail.
It's a vulnerability in PHP where URLs passed to the get_headers() function can be silently truncated if they contain zero characters, potentially sending data to the wrong server.
You are affected if you're using PHP versions 7.2.x below 7.2.29, 7.3.x below 7.3.16, or 7.4.x below 7.4.4.
Upgrade to PHP version 7.4.4 or later. If upgrading isn't possible, sanitize user-supplied URLs to remove zero characters.
Currently, there are no known public exploits or active campaigns targeting this vulnerability, but the potential for exploitation exists.
Refer to the official CVE entry on the NVD website: https://nvd.nist.gov/vuln/detail/CVE-2020-7066
Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.