Author maxpl0it
Recipients maxpl0it
Date 2020-02-10.19:29:35
SpamBayes Score -1.0
Marked as misclassified Yes
Message-id <1581362975.61.0.33794022777.issue39603@roundup.psfhosted.org>
In-reply-to
Content
I recently came across a bug during a pentest that's allowed me to perform some really interesting attacks on a target. While originally discovered in requests, I had been forwarded to one of the urllib3 developers after agreeing that fixing it at it's lowest level would be preferable. I was informed that the vulnerability is also present in http.client and that I should report it here as well.

The 'method' parameter is not filtered to prevent the injection from altering the entire request.

For example:
>>> conn = http.client.HTTPConnection("localhost", 80)
>>> conn.request(method="GET / HTTP/1.1\r\nHost: abc\r\nRemainder:", url="/index.html")

This will result in the following request being generated:
GET / HTTP/1.1
Host: abc
Remainder: /index.html HTTP/1.1
Host: localhost
Accept-Encoding: identity

This was originally found in an HTTP proxy that was utilising Requests. It allowed me to manipulate the original path to access different files from an internal server since the developers had assumed that the method would filter out non-standard HTTP methods.

The recommended solution is to only allow the standard HTTP methods of GET, HEAD, POST, PUT, DELETE, CONNECT, OPTIONS, TRACE, and PATCH.

An alternate solution that would allow programmers to use non-standard methods would be to only support characters [a-z] and stop reading at any special characters (especially newlines and spaces).
History
Date User Action Args
2020-02-10 19:29:35maxpl0itsetrecipients: + maxpl0it
2020-02-10 19:29:35maxpl0itsetmessageid: <1581362975.61.0.33794022777.issue39603@roundup.psfhosted.org>
2020-02-10 19:29:35maxpl0itlinkissue39603 messages
2020-02-10 19:29:35maxpl0itcreate