Improper Input Validation Affecting workerman/workerman package, versions >=0.0.0
Snyk CVSS
Threat Intelligence
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-PHP-WORKERMANWORKERMAN-569105
- published 27 Jul 2020
- disclosed 27 Jul 2020
- credit Sam Sanoop of Snyk Security Team
How to fix?
There is no fixed version for workerman/workerman
.
Overview
workerman/workerman is an asynchronous event driven PHP framework for easily building fast, scalable network applications.
Affected versions of this package are vulnerable to Improper Input Validation. HTTP requests processed by workerman
does not have adequate validation and as such, allows malformed Transfer-Encoding headers.
In cases where workerman
is used as an intermediate proxy such as php-http-proxy
as part of a part of a chain of servers , it is possible for an attacker to leverage this behaviour to conduct HTTP Request Smuggling.
PoC
Violation of RFC 7230 (Mishandling of Space)
POST / HTTP/1.1
Host:localhost
Transfer-Encoding : chunked
Content-Length: 4
Content-Type: application/x-www-form-urlencoded
0