Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Thu, 10 Jan 2013 15:38:57 +0100
From: chevalier 3as <>
Subject: Potential HTTP Header Injection in Apache HTTPClient


As I'm not sure if this is a vulnerability or simply a 'feature', I'm
posting the details for more information.

The addRequestHeader method of the Apache HTTPClient module version
3.x seems to allow the injection of more than a header (potentilally
the latest version 4.x too for addHeader method):

Using the following code, it includes a third header in the request:
        HttpClient client = new HttpClient();
        PostMethod method = new PostMethod("");
        method.addRequestHeader("header1", "value1\r\nheader3: value3");

The real risk is adding a second request using a similar code:
req.addRequestHeader("Content-Length:0\r\n\r\n" +
"POST\t/anotherpath\tHTTP/1.1\r\n" +
"Host:host\r\n" +
"Referer:faked\r\n" +
"User-Agent:faked\r\n" +
"Content-Type:faked\r\n" +
"Content-Length:3\r\n" +
"\r\n" +

Because of the Content-Length header, the sever will consider it as a
seperate request.

Iis this an expected behavior ? if so developpers should be aware of
the risk letting a user input values.

A similar advisory for Flash is available here:

My 2 cents,

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ