Date: Thu, 10 Jan 2013 15:38:57 +0100 From: chevalier 3as <chevalier3as@...il.com> To: oss-security@...ts.openwall.com Subject: Potential HTTP Header Injection in Apache HTTPClient Hi, As I'm not sure if this is a vulnerability or simply a 'feature', I'm posting the details for more information. The addRequestHeader method of the Apache HTTPClient module version 3.x seems to allow the injection of more than a header (potentilally the latest version 4.x too for addHeader method): Using the following code, it includes a third header in the request: HttpClient client = new HttpClient(); PostMethod method = new PostMethod("http://www.google.fr"); method.addRequestHeader("header1", "value1\r\nheader3: value3"); method.addRequestHeader("header2","value2"); The real risk is adding a second request using a similar code: req.addRequestHeader("Content-Length:0\r\n\r\n" + "POST\t/anotherpath\tHTTP/1.1\r\n" + "Host:host\r\n" + "Referer:faked\r\n" + "User-Agent:faked\r\n" + "Content-Type:faked\r\n" + "Content-Length:3\r\n" + "\r\n" + "foo\n", "bar"); Because of the Content-Length header, the sever will consider it as a seperate request. Iis this an expected behavior ? if so developpers should be aware of the risk letting a user input values. A similar advisory for Flash is available here: http://www.rapid7.com/resources/advisories/R7-0026.jsp My 2 cents, As
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ