Is PHP Immune to HTTP Response Response Vulnerabilities?

Question

Is PHP Immune to HTTP Response Response Vulnerabilities?

<?php
setcookie('test', "test\r\n<script>alert(1)</script>");
echo 1;

But it turns out that PHP automatically performs the encoding:

Set-Cookie: test=test%0D%0A%3Cscript%3Ealert%281%29%3C%2Fscript%3E

Does this mean that it is not possible to reproduce splitting the HTTP response in PHP?

+5

security php http-headers exploit

cpuer Jun 09 '11 at 3:10

source share

1 answer

mario · Accepted Answer · 2011-06-09T04:28:42+0000

From the Wikipedia article link :

[...] Although the separation of responses is not specific to PHP, the PHP interpreter contains protection against attacks from versions 4.4.2 and 5.1.2. ^[1]

headerand setcookiecontain mitigations against split response / header. It's impossible.

Is PHP Immune to HTTP Response Response Vulnerabilities?

More articles: