CVE-2020-7071 Overview
CVE-2020-7071 is an input validation vulnerability affecting PHP's URL validation functionality. When validating URLs using functions like filter_var($url, FILTER_VALIDATE_URL), PHP incorrectly accepts URLs containing invalid password characters as valid. This improper validation can lead to URL mis-parsing by downstream functions that rely on the URL being properly validated, potentially resulting in the extraction of incorrect URL components.
Critical Impact
Applications relying on PHP's built-in URL validation may process malformed URLs as legitimate, potentially leading to security bypasses, server-side request forgery (SSRF) scenarios, or data integrity issues when URL components are parsed incorrectly.
Affected Products
- PHP versions 7.3.x below 7.3.26
- PHP versions 7.4.x below 7.4.14
- PHP version 8.0.0
- Debian Linux 9.0 and 10.0
- NetApp Clustered Data ONTAP
Discovery Timeline
- 2021-02-15 - CVE-2020-7071 published to NVD
- 2024-11-21 - Last updated in NVD database
Technical Details for CVE-2020-7071
Vulnerability Analysis
This vulnerability stems from improper input validation (CWE-20) within PHP's URL parsing and validation mechanisms. The filter_var() function with the FILTER_VALIDATE_URL flag is designed to verify that a given string represents a properly formatted URL according to RFC standards. However, the implementation fails to properly validate the password component of the URL's userinfo section.
When a URL contains an invalid password (containing characters that should be percent-encoded or rejected), PHP's validation logic incorrectly returns the URL as valid. This creates a discrepancy between what is considered valid during the initial validation and how subsequent parsing functions interpret the URL components.
The vulnerability is exploitable over the network without authentication or user interaction, though the impact is limited to integrity concerns rather than confidentiality or availability breaches.
Root Cause
The root cause lies in insufficient character validation within PHP's URL parsing implementation. The password portion of a URL (appearing between the username and @ symbol in the authority component) should conform to specific character restrictions per RFC 3986. PHP's filter_var() function with FILTER_VALIDATE_URL fails to enforce these restrictions properly, allowing malformed password strings to pass validation.
This inconsistency means the validation function and parsing functions operate with different assumptions about URL validity, creating potential for security-relevant misbehavior in applications that trust the validation result.
Attack Vector
An attacker can exploit this vulnerability by supplying a specially crafted URL with an invalid password component to any PHP application that relies on filter_var() for URL validation. The attack scenario typically involves:
- Identifying an application endpoint that accepts URLs and validates them using filter_var($url, FILTER_VALIDATE_URL)
- Crafting a URL with malformed password characters that passes validation but causes parsing discrepancies
- The application processes the "valid" URL, but downstream parsing extracts incorrect components
This can lead to scenarios where security controls based on URL parsing (such as allowlist checks, hostname verification, or path restrictions) can be bypassed because the parsed components differ from what was validated. The vulnerability is particularly concerning in SSRF prevention contexts or when URL components are used for access control decisions.
For technical details on the specific invalid password patterns that trigger this behavior, see PHP Bug Report #77423.
Detection Methods for CVE-2020-7071
Indicators of Compromise
- Unusual URL patterns in application logs containing malformed userinfo sections (username:password portion before the @ symbol)
- Error messages or exceptions from URL parsing functions that follow successful URL validation
- Unexpected network connections to hosts that should have been blocked by URL validation controls
Detection Strategies
- Review application code for usage of filter_var() with FILTER_VALIDATE_URL flag and assess if additional validation is performed
- Implement logging for URLs that pass validation but generate parsing errors in subsequent processing
- Deploy web application firewall rules to detect URLs with suspicious character patterns in the authentication portion
Monitoring Recommendations
- Monitor PHP application logs for discrepancies between validated URLs and parsed URL components
- Track any SSRF-related security events in applications that process user-supplied URLs
- Enable verbose logging for URL processing in sensitive applications to capture validation and parsing outcomes
How to Mitigate CVE-2020-7071
Immediate Actions Required
- Upgrade PHP to version 7.3.26 or later for 7.3.x installations
- Upgrade PHP to version 7.4.14 or later for 7.4.x installations
- Upgrade PHP to version 8.0.1 or later for 8.0.x installations
- Review all instances where filter_var() with FILTER_VALIDATE_URL is used in critical security contexts
Patch Information
PHP has released patched versions addressing this vulnerability. Organizations should update to the following minimum versions:
- PHP 7.3.26 for the 7.3 branch
- PHP 7.4.14 for the 7.4 branch
- PHP 8.0.1 for the 8.0 branch
Detailed information is available in the PHP Bug Report #77423. Additional vendor-specific patches are documented in Debian Security Advisory DSA-4856 and NetApp Security Advisory NTAP-2021-03-12.
Workarounds
- Implement additional URL validation using parse_url() and verify each component independently before processing
- Use strict allowlist validation for URL schemes, hosts, and ports rather than relying solely on FILTER_VALIDATE_URL
- Consider using well-tested third-party URL parsing libraries that provide stricter validation
# Example: Check PHP version to verify patched status
php -v
# Verify specific version requirements are met
php -r "echo (version_compare(PHP_VERSION, '7.4.14', '>=') ? 'Patched' : 'Vulnerable') . PHP_EOL;"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
