[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Bug-wget] Vulnerability Report - CRLF Injection in Wget Host Part
|
From: |
Orange Tsai |
|
Subject: |
Re: [Bug-wget] Vulnerability Report - CRLF Injection in Wget Host Part |
|
Date: |
Tue, 7 Mar 2017 03:05:02 +0800 |
Oops
That my fault. I sent the wrong mail.
Very sorry :(
2017-03-07 3:03 GMT+08:00 Tim Rühsen <address@hidden>:
> On Dienstag, 7. März 2017 02:01:06 CET Orange Tsai wrote:
> > I am surprise that `http://address@hidden:address@hidden will connect to `
> > evil.com`, not `good.com`.
> > Most of URL parser will recognize `good.com` is host part. Like this
> > advisory, https://curl.haxx.se/docs/adv_20161102J.html
> > It seem more dangerous if a developer still rely on the result of parse
> URL
> > than my original report.
> >
> > Some testing:
> > $ python try.py 'http://address@hidden:address@hidden/x'
> >
> > Python scheme=http, address@hidden:address@hidden, port=
> > PHP scheme=http, host=127.2.2.2, port=
> > Perl scheme=http, host=127.2.2.2, port=80
> > Ruby2 scheme=http, host=127.2.2.2, port=
> > GO scheme=http, host=127.2.2.2, port=
> > Java scheme=http, host=, port=-1
> > JS scheme=http, host=127.2.2.2, port=null
> >
> >
> >
> > But it seems also the same root cause and fixed at this patch. :)
> > By the way, would you mind that allocating a CVE-ID to address this?
>
> I'd appreciate that. But I never did that, so who does allocate a CVE how
> and
> where ? I am willing to learn :-)
>
> Tim
>
--
- Orange -
Re: [Bug-wget] Vulnerability Report - CRLF Injection in Wget Host Part, Dale R. Worley, 2017/03/06