Medium severity5.4NVD Advisory· Published Apr 17, 2025· Updated Apr 15, 2026
CVE-2025-43717
CVE-2025-43717
Description
In PEAR HTTP_Request2 before 2.7.0, multiple files in the tests directory, notably tests/_network/getparameters.php and tests/_network/postparameters.php, reflect any GET or POST parameters, leading to XSS.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
pear/http_request2Packagist | < 2.7.0 | 2.7.0 |
Patches
3b1c61b71128007925aa77e44Encode all input, warn not to serve on public websites
14 files changed · +68 −68
tests/_network/basicauth.php+5 −5 modified@@ -1,6 +1,6 @@ <?php /** - * Helper files for HTTP_Request2 unit tests. Should be accessible via HTTP. + * WARNING: This file is a part of test suite for PEAR/HTTP_Request2. It should NOT be served on public websites. * * PHP version 5 * @@ -13,9 +13,9 @@ * @category HTTP * @package HTTP_Request2 * @author Alexey Borzov <avb@php.net> - * @copyright 2008-2023 Alexey Borzov <avb@php.net> - * @license http://opensource.org/licenses/BSD-3-Clause BSD 3-Clause License - * @link http://pear.php.net/package/HTTP_Request2 + * @copyright 2008-2025 Alexey Borzov <avb@php.net> + * @license https://opensource.org/licenses/BSD-3-Clause BSD 3-Clause License + * @link https://pear.php.net/package/HTTP_Request2 */ $user = isset($_SERVER['PHP_AUTH_USER']) ? $_SERVER['PHP_AUTH_USER'] : null; @@ -27,7 +27,7 @@ header('WWW-Authenticate: Basic realm="HTTP_Request2 tests"', true, 401); echo "Login required"; } else { - echo "Username={$user};Password={$pass}"; + echo htmlspecialchars("Username={$user};Password={$pass}", ENT_NOQUOTES, 'UTF-8'); } ?> \ No newline at end of file
tests/_network/bug19934.php+4 −4 modified@@ -1,6 +1,6 @@ <?php /** - * Helper files for HTTP_Request2 unit tests. Should be accessible via HTTP. + * WARNING: This file is a part of test suite for PEAR/HTTP_Request2. It should NOT be served on public websites. * * PHP version 5 * @@ -13,9 +13,9 @@ * @category HTTP * @package HTTP_Request2 * @author Alexey Borzov <avb@php.net> - * @copyright 2008-2023 Alexey Borzov <avb@php.net> - * @license http://opensource.org/licenses/BSD-3-Clause BSD 3-Clause License - * @link http://pear.php.net/package/HTTP_Request2 + * @copyright 2008-2025 Alexey Borzov <avb@php.net> + * @license https://opensource.org/licenses/BSD-3-Clause BSD 3-Clause License + * @link https://pear.php.net/package/HTTP_Request2 */ for ($i = 0; $i < 20; $i++) {
tests/_network/bug20228.php+4 −4 modified@@ -1,6 +1,6 @@ <?php /** - * Helper files for HTTP_Request2 unit tests. Should be accessible via HTTP. + * WARNING: This file is a part of test suite for PEAR/HTTP_Request2. It should NOT be served on public websites. * * PHP version 5 * @@ -13,9 +13,9 @@ * @category HTTP * @package HTTP_Request2 * @author Alexey Borzov <avb@php.net> - * @copyright 2008-2023 Alexey Borzov <avb@php.net> - * @license http://opensource.org/licenses/BSD-3-Clause BSD 3-Clause License - * @link http://pear.php.net/package/HTTP_Request2 + * @copyright 2008-2025 Alexey Borzov <avb@php.net> + * @license https://opensource.org/licenses/BSD-3-Clause BSD 3-Clause License + * @link https://pear.php.net/package/HTTP_Request2 */ header('Transfer-Encoding: chunked');
tests/_network/cookies.php+5 −5 modified@@ -1,6 +1,6 @@ <?php /** - * Helper files for HTTP_Request2 unit tests. Should be accessible via HTTP. + * WARNING: This file is a part of test suite for PEAR/HTTP_Request2. It should NOT be served on public websites. * * PHP version 5 * @@ -13,12 +13,12 @@ * @category HTTP * @package HTTP_Request2 * @author Alexey Borzov <avb@php.net> - * @copyright 2008-2023 Alexey Borzov <avb@php.net> - * @license http://opensource.org/licenses/BSD-3-Clause BSD 3-Clause License - * @link http://pear.php.net/package/HTTP_Request2 + * @copyright 2008-2025 Alexey Borzov <avb@php.net> + * @license https://opensource.org/licenses/BSD-3-Clause BSD 3-Clause License + * @link https://pear.php.net/package/HTTP_Request2 */ ksort($_COOKIE); -echo serialize($_COOKIE); +echo htmlspecialchars(serialize($_COOKIE), ENT_NOQUOTES, 'UTF-8'); ?> \ No newline at end of file
tests/_network/digestauth.php+6 −6 modified@@ -1,6 +1,6 @@ <?php /** - * Helper files for HTTP_Request2 unit tests. Should be accessible via HTTP. + * WARNING: This file is a part of test suite for PEAR/HTTP_Request2. It should NOT be served on public websites. * * PHP version 5 * @@ -13,15 +13,15 @@ * @category HTTP * @package HTTP_Request2 * @author Alexey Borzov <avb@php.net> - * @copyright 2008-2023 Alexey Borzov <avb@php.net> - * @license http://opensource.org/licenses/BSD-3-Clause BSD 3-Clause License - * @link http://pear.php.net/package/HTTP_Request2 + * @copyright 2008-2025 Alexey Borzov <avb@php.net> + * @license https://opensource.org/licenses/BSD-3-Clause BSD 3-Clause License + * @link https://pear.php.net/package/HTTP_Request2 */ /** * Mostly borrowed from PHP manual and Socket Adapter implementation * - * @link http://php.net/manual/en/features.http-auth.php + * @link https://php.net/manual/en/features.http-auth.php */ /** @@ -78,6 +78,6 @@ function http_digest_parse($txt) '",qop="auth",nonce="' . uniqid() . '"', true, 401); echo "Login required"; } else { - echo "Username={$data['username']}"; + echo htmlspecialchars("Username={$data['username']}", ENT_NOQUOTES, 'UTF-8'); } ?> \ No newline at end of file
tests/_network/download.php+4 −4 modified@@ -1,6 +1,6 @@ <?php /** - * Helper files for HTTP_Request2 unit tests. Should be accessible via HTTP. + * WARNING: This file is a part of test suite for PEAR/HTTP_Request2. It should NOT be served on public websites. * * PHP version 5 * @@ -13,9 +13,9 @@ * @category HTTP * @package HTTP_Request2 * @author Alexey Borzov <avb@php.net> - * @copyright 2008-2023 Alexey Borzov <avb@php.net> - * @license http://opensource.org/licenses/BSD-3-Clause BSD 3-Clause License - * @link http://pear.php.net/package/HTTP_Request2 + * @copyright 2008-2025 Alexey Borzov <avb@php.net> + * @license https://opensource.org/licenses/BSD-3-Clause BSD 3-Clause License + * @link https://pear.php.net/package/HTTP_Request2 */ $payload = str_repeat('0123456789abcdef', 128);
tests/_network/getparameters.php+5 −5 modified@@ -1,6 +1,6 @@ <?php /** - * Helper files for HTTP_Request2 unit tests. Should be accessible via HTTP. + * WARNING: This file is a part of test suite for PEAR/HTTP_Request2. It should NOT be served on public websites. * * PHP version 5 * @@ -13,12 +13,12 @@ * @category HTTP * @package HTTP_Request2 * @author Alexey Borzov <avb@php.net> - * @copyright 2008-2023 Alexey Borzov <avb@php.net> - * @license http://opensource.org/licenses/BSD-3-Clause BSD 3-Clause License - * @link http://pear.php.net/package/HTTP_Request2 + * @copyright 2008-2025 Alexey Borzov <avb@php.net> + * @license https://opensource.org/licenses/BSD-3-Clause BSD 3-Clause License + * @link https://pear.php.net/package/HTTP_Request2 */ ksort($_GET); -echo serialize($_GET); +echo htmlspecialchars(serialize($_GET), ENT_NOQUOTES, 'UTF-8'); ?> \ No newline at end of file
tests/_network/incompletebody.php+4 −4 modified@@ -1,6 +1,6 @@ <?php /** - * Helper files for HTTP_Request2 unit tests. Should be accessible via HTTP. + * WARNING: This file is a part of test suite for PEAR/HTTP_Request2. It should NOT be served on public websites. * * PHP version 5 * @@ -13,9 +13,9 @@ * @category HTTP * @package HTTP_Request2 * @author Alexey Borzov <avb@php.net> - * @copyright 2008-2023 Alexey Borzov <avb@php.net> - * @license http://opensource.org/licenses/BSD-3-Clause BSD 3-Clause License - * @link http://pear.php.net/package/HTTP_Request2 + * @copyright 2008-2025 Alexey Borzov <avb@php.net> + * @license https://opensource.org/licenses/BSD-3-Clause BSD 3-Clause License + * @link https://pear.php.net/package/HTTP_Request2 */ header('Connection: close');
tests/_network/postparameters.php+5 −5 modified@@ -1,6 +1,6 @@ <?php /** - * Helper files for HTTP_Request2 unit tests. Should be accessible via HTTP. + * WARNING: This file is a part of test suite for PEAR/HTTP_Request2. It should NOT be served on public websites. * * PHP version 5 * @@ -13,12 +13,12 @@ * @category HTTP * @package HTTP_Request2 * @author Alexey Borzov <avb@php.net> - * @copyright 2008-2023 Alexey Borzov <avb@php.net> - * @license http://opensource.org/licenses/BSD-3-Clause BSD 3-Clause License - * @link http://pear.php.net/package/HTTP_Request2 + * @copyright 2008-2025 Alexey Borzov <avb@php.net> + * @license https://opensource.org/licenses/BSD-3-Clause BSD 3-Clause License + * @link https://pear.php.net/package/HTTP_Request2 */ ksort($_POST); -echo serialize($_POST); +echo htmlspecialchars(serialize($_POST), ENT_NOQUOTES, 'UTF-8'); ?> \ No newline at end of file
tests/_network/rawpostdata.php+5 −5 modified@@ -1,6 +1,6 @@ <?php /** - * Helper files for HTTP_Request2 unit tests. Should be accessible via HTTP. + * WARNING: This file is a part of test suite for PEAR/HTTP_Request2. It should NOT be served on public websites. * * PHP version 5 * @@ -13,10 +13,10 @@ * @category HTTP * @package HTTP_Request2 * @author Alexey Borzov <avb@php.net> - * @copyright 2008-2023 Alexey Borzov <avb@php.net> - * @license http://opensource.org/licenses/BSD-3-Clause BSD 3-Clause License - * @link http://pear.php.net/package/HTTP_Request2 + * @copyright 2008-2025 Alexey Borzov <avb@php.net> + * @license https://opensource.org/licenses/BSD-3-Clause BSD 3-Clause License + * @link https://pear.php.net/package/HTTP_Request2 */ -readfile('php://input'); +echo htmlspecialchars(file_get_contents('php://input'), ENT_NOQUOTES, 'UTF-8'); ?> \ No newline at end of file
tests/_network/redirects.php+7 −7 modified@@ -1,6 +1,6 @@ <?php /** - * Helper files for HTTP_Request2 unit tests. Should be accessible via HTTP. + * WARNING: This file is a part of test suite for PEAR/HTTP_Request2. It should NOT be served on public websites. * * PHP version 5 * @@ -13,9 +13,9 @@ * @category HTTP * @package HTTP_Request2 * @author Alexey Borzov <avb@php.net> - * @copyright 2008-2023 Alexey Borzov <avb@php.net> - * @license http://opensource.org/licenses/BSD-3-Clause BSD 3-Clause License - * @link http://pear.php.net/package/HTTP_Request2 + * @copyright 2008-2025 Alexey Borzov <avb@php.net> + * @license https://opensource.org/licenses/BSD-3-Clause BSD 3-Clause License + * @link https://pear.php.net/package/HTTP_Request2 */ $redirects = isset($_GET['redirects'])? $_GET['redirects']: 1; @@ -43,8 +43,8 @@ header('Location: ' . $url, true, 302); } else { - echo "Method=" . $_SERVER['REQUEST_METHOD'] . ';'; - var_dump($_POST); - var_dump($_GET); + echo "Method=" . htmlspecialchars($_SERVER['REQUEST_METHOD'], ENT_NOQUOTES, 'UTF-8') . ';'; + echo htmlspecialchars(serialize($_POST), ENT_NOQUOTES, 'UTF-8'); + echo htmlspecialchars(serialize($_GET), ENT_NOQUOTES, 'UTF-8'); } ?> \ No newline at end of file
tests/_network/setcookie.php+4 −4 modified@@ -1,6 +1,6 @@ <?php /** - * Helper files for HTTP_Request2 unit tests. Should be accessible via HTTP. + * WARNING: This file is a part of test suite for PEAR/HTTP_Request2. It should NOT be served on public websites. * * PHP version 5 * @@ -13,9 +13,9 @@ * @category HTTP * @package HTTP_Request2 * @author Alexey Borzov <avb@php.net> - * @copyright 2008-2023 Alexey Borzov <avb@php.net> - * @license http://opensource.org/licenses/BSD-3-Clause BSD 3-Clause License - * @link http://pear.php.net/package/HTTP_Request2 + * @copyright 2008-2025 Alexey Borzov <avb@php.net> + * @license https://opensource.org/licenses/BSD-3-Clause BSD 3-Clause License + * @link https://pear.php.net/package/HTTP_Request2 */ $name = empty($_GET['name'])? 'foo': $_GET['name'];
tests/_network/timeout.php+4 −4 modified@@ -1,6 +1,6 @@ <?php /** - * Helper files for HTTP_Request2 unit tests. Should be accessible via HTTP. + * WARNING: This file is a part of test suite for PEAR/HTTP_Request2. It should NOT be served on public websites. * * PHP version 5 * @@ -13,9 +13,9 @@ * @category HTTP * @package HTTP_Request2 * @author Alexey Borzov <avb@php.net> - * @copyright 2008-2023 Alexey Borzov <avb@php.net> - * @license http://opensource.org/licenses/BSD-3-Clause BSD 3-Clause License - * @link http://pear.php.net/package/HTTP_Request2 + * @copyright 2008-2025 Alexey Borzov <avb@php.net> + * @license https://opensource.org/licenses/BSD-3-Clause BSD 3-Clause License + * @link https://pear.php.net/package/HTTP_Request2 */ sleep(5);
tests/_network/uploads.php+6 −6 modified@@ -1,6 +1,6 @@ <?php /** - * Helper files for HTTP_Request2 unit tests. Should be accessible via HTTP. + * WARNING: This file is a part of test suite for PEAR/HTTP_Request2. It should NOT be served on public websites. * * PHP version 5 * @@ -13,9 +13,9 @@ * @category HTTP * @package HTTP_Request2 * @author Alexey Borzov <avb@php.net> - * @copyright 2008-2023 Alexey Borzov <avb@php.net> - * @license http://opensource.org/licenses/BSD-3-Clause BSD 3-Clause License - * @link http://pear.php.net/package/HTTP_Request2 + * @copyright 2008-2025 Alexey Borzov <avb@php.net> + * @license https://opensource.org/licenses/BSD-3-Clause BSD 3-Clause License + * @link https://pear.php.net/package/HTTP_Request2 */ if (isset($_GET['slowpoke'])) { @@ -25,10 +25,10 @@ foreach ($_FILES as $name => $file) { if (is_array($file['name'])) { foreach($file['name'] as $k => $v) { - echo "{$name}[{$k}] {$v} {$file['type'][$k]} {$file['size'][$k]}\n"; + echo htmlspecialchars("{$name}[{$k}] {$v} {$file['type'][$k]} {$file['size'][$k]}\n", ENT_NOQUOTES, 'UTF-8'); } } else { - echo "{$name} {$file['name']} {$file['type']} {$file['size']}\n"; + echo htmlspecialchars("{$name} {$file['name']} {$file['type']} {$file['size']}\n", ENT_NOQUOTES, 'UTF-8'); } } ?> \ No newline at end of file
265e05f9e08aAdd a note to not keep server-side test files publicly accessible
2 files changed · +14 −14
tests/NetworkConfig.php.dist+10 −7 modified@@ -13,9 +13,9 @@ * @category HTTP * @package HTTP_Request2 * @author Alexey Borzov <avb@php.net> - * @copyright 2008-2023 Alexey Borzov <avb@php.net> - * @license http://opensource.org/licenses/BSD-3-Clause BSD 3-Clause License - * @link http://pear.php.net/package/HTTP_Request2 + * @copyright 2008-2025 Alexey Borzov <avb@php.net> + * @license https://opensource.org/licenses/BSD-3-Clause BSD 3-Clause License + * @link https://pear.php.net/package/HTTP_Request2 */ /** @@ -27,10 +27,13 @@ /** * Base URL for HTTP_Request2 Adapters tests * - * To enable the tests that actually perform network interaction, you should - * copy the contents of _network directory to a directory under your web - * server's document root or create a symbolic link to _network directory - * there. Set this constant to point to the URL of that directory. + * The tests that perform network interaction require that the files in the + * _network directory are served by a webserver. The below constant should + * contain an URI where that directory is served. + * + * Please note that it is NOT a good idea for that URI to be publicly + * accessible, keep it behind a firewall and / or only enable it when + * the tests are run. */ define('HTTP_REQUEST2_TESTS_BASE_URL', null);
tests/NetworkConfig.php.github+4 −7 modified@@ -13,9 +13,9 @@ * @category HTTP * @package HTTP_Request2 * @author Alexey Borzov <avb@php.net> - * @copyright 2008-2023 Alexey Borzov <avb@php.net> - * @license http://opensource.org/licenses/BSD-3-Clause BSD 3-Clause License - * @link http://pear.php.net/package/HTTP_Request2 + * @copyright 2008-2025 Alexey Borzov <avb@php.net> + * @license https://opensource.org/licenses/BSD-3-Clause BSD 3-Clause License + * @link https://pear.php.net/package/HTTP_Request2 */ /** @@ -27,10 +27,7 @@ /** * Base URL for HTTP_Request2 Adapters tests * - * To enable the tests that actually perform network interaction, you should - * copy the contents of _network directory to a directory under your web - * server's document root or create a symbolic link to _network directory - * there. Set this constant to point to the URL of that directory. + * Test suite running on GitHub serves the files through PHP's built-in webserver. */ define('HTTP_REQUEST2_TESTS_BASE_URL', 'http://localhost:8000/');
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
6- github.com/advisories/GHSA-w7gh-f2fm-9q8rghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-43717ghsaADVISORY
- github.com/pear/HTTP_Request2/blob/b1c61b71128045734d757c4d3d436457ace80ea7/package.xmlnvdWEB
- github.com/pear/HTTP_Request2/commit/07925aa77e441dba0ff0fa973a09802729cb838fnvdWEB
- github.com/pear/HTTP_Request2/commit/265e05f9e08a28a38a57219516a8e4e2dfdbb147nvdWEB
- github.com/pear/HTTP_Request2/compare/v2.6.0...v2.7.0nvdWEB
News mentions
0No linked articles in our index yet.