Home page logo
/

oss-sec logo oss-sec mailing list archives

Re: Potential HTTP Header Injection in Apache HTTPClient
From: Kurt Seifried <kseifried () redhat com>
Date: Wed, 13 Feb 2013 02:54:42 -0700

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 01/10/2013 07:38 AM, chevalier 3as wrote:
Hi,

As I'm not sure if this is a vulnerability or simply a 'feature',
I'm posting the details for more information.

The addRequestHeader method of the Apache HTTPClient module
version 3.x seems to allow the injection of more than a header
(potentilally the latest version 4.x too for addHeader method):

Using the following code, it includes a third header in the
request: HttpClient client = new HttpClient(); PostMethod method =
new PostMethod("http://www.google.fr";); 
method.addRequestHeader("header1", "value1\r\nheader3: value3"); 
method.addRequestHeader("header2","value2");


The real risk is adding a second request using a similar code: 
req.addRequestHeader("Content-Length:0\r\n\r\n" + 
"POST\t/anotherpath\tHTTP/1.1\r\n" + "Host:host\r\n" + 
"Referer:faked\r\n" + "User-Agent:faked\r\n" + 
"Content-Type:faked\r\n" + "Content-Length:3\r\n" + "\r\n" + 
"foo\n", "bar");

Because of the Content-Length header, the sever will consider it as
a seperate request.

Iis this an expected behavior ? if so developpers should be aware
of the risk letting a user input values.

A similar advisory for Flash is available here: 
http://www.rapid7.com/resources/advisories/R7-0026.jsp

My 2 cents, As


Has anyone investigated this/can comment on this? thanks.

- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)

iQIcBAEBAgAGBQJRG2LhAAoJEBYNRVNeJnmTYwcP/2PgkHgVU4K2dMzA0eRoseQF
jZLY1geucutLHWBEhIxLRLsvtiT1ac/ejVMn9w2Bw9No8bplJ7ElAjlGv4+a7aHS
TeNd9rV73DQq3SWibuonaXpODRONq6pTuoUMRhcGMdoYzOiSnHsLR+tix4ntJm4F
qS1hGwTJ1Zly5SXmOftrNt9Hwv/S/aDXdDh+v9OTz3G45MD8+4mihefxQneWMPOT
h0Q9g8aILoVAFaVo8YRXWI96MZ3atkPndzHUVrHR3MFiGDvJyvBEV9JdXJmxHjSA
jt9eOjE7jhLOw3L0YBjZ/XZh66okyP+D2ofjFbzDE4+VTWV9PqgyOyPNpUPB445L
pPDne0kxH+dVMOhQ3dtPGaP0KhYCKmza4spp00xD4WDI+FAaHeI3mhrSUn/7UShM
ee201bktkCnXL/gXIih+QQnc9ehmzCFGhuVYktHDjecGmyRarre0xcZy8wW6jd7/
qpL4znOo7NzA6Q/PVKVPuH1eyvr3J/RF3PPDTIIgjKhT7RHTs0m7Ff+dvON4HENM
38iLtItj6ntRZ3BL5ke6Z9qkxj8qdBVWUTbcL6JRu+9mo4fCzlGQ9MzDnvHk7svs
s0uvaeMbb6Qj86L+D9hr6kvFtu0HgftOILW/ygxLupZkEk9q4HJhZr+sHAeTRarN
HNxkOdjxQZG9FUNCdZ6o
=kiym
-----END PGP SIGNATURE-----


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault