Homepage
About Snyk

Improper Input Validation Affecting workerman/workerman package, versions >=0.0.0

0.0
medium

Snyk CVSS

    Attack Complexity High
    Scope Changed

    Threat Intelligence

    Exploit Maturity Proof of concept

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk ID SNYK-PHP-WORKERMANWORKERMAN-569105
  • published 27 Jul 2020
  • disclosed 27 Jul 2020
  • credit Sam Sanoop of Snyk Security Team
Report a new vulnerability Found a mistake?

Introduced: 27 Jul 2020

CVE NOT AVAILABLE CWE-20 Open this link in a new tab
First added by Snyk

How to fix?

There is no fixed version for workerman/workerman.

Overview

workerman/workerman is an asynchronous event driven PHP framework for easily building fast, scalable network applications.

Affected versions of this package are vulnerable to Improper Input Validation. HTTP requests processed by workerman does not have adequate validation and as such, allows malformed Transfer-Encoding headers.

In cases where workerman is used as an intermediate proxy such as php-http-proxy as part of a part of a chain of servers , it is possible for an attacker to leverage this behaviour to conduct HTTP Request Smuggling.

PoC

Violation of RFC 7230 (Mishandling of Space)


POST / HTTP/1.1
Host:localhost
Transfer-Encoding : chunked
Content-Length: 4
Content-Type: application/x-www-form-urlencoded


0