CVE-2024-11234: 
PHP vulnerability analysis and mitigation

In PHP versions 8.1. before 8.1.31, 8.2. before 8.2.26, and 8.3.* before 8.3.14, a vulnerability was discovered where the URI is not properly sanitized when using streams with configured proxy and "request_fulluri" option. This vulnerability, identified as CVE-2024-11234, was disclosed on November 21, 2024 (PHP Advisory, NVD).

The vulnerability lies in the implementation of requestfulluri parameter, which inserts the raw URI into the HTTP request line without proper control characters sanitization. When requestfulluri is set to true, or when using non-HTTP streams with a proxy parameter (currently only FTP context supports this), the request_fulluri parameter gets automatically silently enabled. This bypasses the normal control characters sanitization usually performed when parsing the URL. The vulnerability has been assigned a CVSS v3.1 base score of 7.2 (HIGH) by NIST and 4.8 (MEDIUM) by PHP Group (NVD).

The vulnerability can lead to HTTP request smuggling attacks, allowing attackers to use the proxy to perform arbitrary HTTP requests originating from the server. This could potentially result in Server Side Request Forgery (SSRF) attacks, enabling attackers to bypass security controls, access internal endpoints, and potentially access different hosts or machines. The attacker can craft requests using any HTTP method and set any header to any value, including sensitive headers like Authorization, Cookie, Origin, or Referer (PHP Advisory).

The vulnerability has been patched in PHP versions 8.1.31, 8.2.26, and 8.3.14. Users are advised to upgrade to these patched versions to mitigate the security risk (PHP Advisory, NVD).