WebApp Sec mailing list archives

Is this exploitable?..

From: "Benjamin Livshits" <livshits () cs stanford edu>
Date: Wed, 15 Dec 2004 14:42:24 -0800

I was looking at the follong code in J2EE 1.4.1 HttpServlet.java and it
looks like it may be possible to exploit it:

    672     protected void doTrace(HttpServletRequest req,
HttpServletResponse resp)
    673         throws ServletException, IOException
    674     {
    675
    676         int responseLength;
    677
    678         String CRLF = "\r\n";
    679         String responseString = "TRACE "+ req.getRequestURI()+
    680             " " + req.getProtocol();
    681
    682         Enumeration reqHeaderEnum = req.getHeaderNames();
    683
    684         while( reqHeaderEnum.hasMoreElements() ) {
    685             String headerName =
(String)reqHeaderEnum.nextElement();
    686             responseString += CRLF + headerName + ": " +
    687                 req.getHeader(headerName);
    688         }
    689
    690         responseString += CRLF;
    691
    692         responseLength = responseString.length();
    693
    694         resp.setContentType("message/http");
    695         resp.setContentLength(responseLength);
    696         ServletOutputStream out = resp.getOutputStream();
    697         out.print(responseString);
    698         out.close();
    699         return;
    700     }

It looks like responseString obtained from req is forgeable and this may
conceivably lead to a vulnerability down the line, it seems, when
responseString is output with a call to out.print(responseString).

Please advise.

-Ben

Current thread:

Is this exploitable?.. Benjamin Livshits (Dec 16)
- Re: Is this exploitable?.. Peter Conrad (Dec 20)
  - RE: Is this exploitable?.. Benjamin Livshits (Dec 20)
    - Re: Is this exploitable?.. Peter Conrad (Dec 20)
- Re: Is this exploitable?.. Stephen de Vries (Dec 20)
- Re: Is this exploitable?.. Tim (Dec 20)