CVE-2020-7071

CVE-2020-7071 php: FILTER_VALIDATE_URL accepts URLs with invalid userinfo

Publication Date2021-01-03
SeverityModerate
TypeRemote File Inclusion
Affected PHP Versions
  • 5.6.0 - 5.6.40
  • 7.0.0 - 7.0.33
  • 7.1.0 - 7.1.33
  • 7.2.0 - 7.2.34
  • 7.3.0 - 7.3.25
  • 7.4.0 - 7.4.13
  • 8.0.0
Fixed Product Versions
  • ZendPHP 5.6
  • ZendPHP 7.1
  • ZendPHP 7.2
  • ZendPHP 7.3
  • ZendPHP 7.4
  • ZendPHP 8.0
  • ZendServer 8.5.16
  • ZendServer 9.1.11
  • ZendServer 2019.0.6

CVE Details

If you use filter_var() with the FILTER_VALIDATE_URL option, you may get a false positive validation, which could lead you to use an invalid or purposely malformed URL; an additional side effect is that parse_url() would give you an unexpected domain and/or userinfo. These, in turn, would allow a malicious user to potentially cause an application to retrieve or post to a URL that is not specifically allowed by the system.

Recommendations

Upgrade to PHP 8.0.1 or later, 7.4.14 or later, or 7.3.26 or later.

Do not use user-submitted URLs to make HTTP calls whenever possible.

If you need to use user-submitted URLs, use a dedicated URI library to validate and/or parse your URLs, such as league/uri.