[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Bug-wget] Vulnerability Report - CRLF Injection in Wget Host Part
|
From: |
Orange Tsai |
|
Subject: |
Re: [Bug-wget] Vulnerability Report - CRLF Injection in Wget Host Part |
|
Date: |
Tue, 7 Mar 2017 03:08:38 +0800 |
But still thanks :)
I will try to ask for allocating a CVE from https://cve.mitre.org/
2017-03-07 3:05 GMT+08:00 Orange Tsai <address@hidden>:
> Oops
>
> That my fault. I sent the wrong mail.
>
> Very sorry :(
>
> 2017-03-07 3:03 GMT+08:00 Tim Rühsen <address@hidden>:
>
>> On Dienstag, 7. März 2017 02:01:06 CET Orange Tsai wrote:
>> > I am surprise that `http://address@hidden:address@hidden will connect to `
>> > evil.com`, not `good.com`.
>> > Most of URL parser will recognize `good.com` is host part. Like this
>> > advisory, https://curl.haxx.se/docs/adv_20161102J.html
>> > It seem more dangerous if a developer still rely on the result of parse
>> URL
>> > than my original report.
>> >
>> > Some testing:
>> > $ python try.py 'http://address@hidden:address@hidden/x'
>> >
>> > Python scheme=http, address@hidden:address@hidden, port=
>> > PHP scheme=http, host=127.2.2.2, port=
>> > Perl scheme=http, host=127.2.2.2, port=80
>> > Ruby2 scheme=http, host=127.2.2.2, port=
>> > GO scheme=http, host=127.2.2.2, port=
>> > Java scheme=http, host=, port=-1
>> > JS scheme=http, host=127.2.2.2, port=null
>> >
>> >
>> >
>> > But it seems also the same root cause and fixed at this patch. :)
>> > By the way, would you mind that allocating a CVE-ID to address this?
>>
>> I'd appreciate that. But I never did that, so who does allocate a CVE how
>> and
>> where ? I am willing to learn :-)
>>
>> Tim
>>
>
>
>
> --
> - Orange -
>
--
- Orange -
Re: [Bug-wget] Vulnerability Report - CRLF Injection in Wget Host Part, Dale R. Worley, 2017/03/06