[HTTPCLIENT-2129] Jakarta Commons-HttpClient/3.1 can bypass Regular and cause ssrf - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Bug
Status: Resolved
Priority: Minor
Resolution: Information Provided
Affects Version/s: 3.1 (end of life), 5.0
Fix Version/s: None
Component/s: HttpClient (classic)
Labels:
None
Environment:
all system jdk1.8

Flags:

Important

Description

code :
public byte[] getImage(String url) throws RuntimeException {
if (!Pattern.matches("^(http|https):\\/\\/[^?#\\/]\\.google\\.com
/.", url))

{ return "illegal url! ^(http|https):\\\\/\\\\/[^?#\\\\/]*\\\\.google\\\\.com\\\\/.*".getBytes(); }

else {
ByteArrayOutputStream out = new ByteArrayOutputStream();

try {
HttpClient client = new HttpClient();
GetMethod method = new GetMethod(url);
method.addRequestHeader("client", "httpclient3");
client.executeMethod(method);
InputStream in = method.getResponseBodyAsStream();
int i = false;
byte[] bt = new byte[1024];

int i;
while((i = in.read(bt)) != -1)

{ out.write(bt, 0, i); out.flush(); }

in.close();
} catch (Exception var9) {
Exception e = var9;

try

{ out.write(e.getMessage().getBytes()); out.flush(); }

catch (IOException var8) {
var8.printStackTrace();
}
}

return out.toByteArray();
}
}

you can see the Regular filtering does not allow access to other web pages.such as localhost
but use double @ can bypass the Regular and Cause ssrf

payload is :http://ip/?url=http://@@127.0.0.1:22@w.google.com/
Using this vulnerability, you can access your own server and cause a 302 jump to cause local access, thereby bypassing IP restrictions
[reply [−]

Attachments

- Sort By Name
- Sort By Date
- Ascending
- Descending

screenshot.zip
19/Nov/20 12:52
320 kB
ha1c9on

Activity

People

Assignee:: Unassigned

Reporter:: ha1c9on

Votes:: 0 Vote for this issue

Watchers:: 2 Start watching this issue

Dates

Created:: 19/Nov/20 12:54

Updated:: 19/Nov/20 13:09

Resolved:: 19/Nov/20 13:09