You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@hc.apache.org by "ha1c9on (Jira)" <ji...@apache.org> on 2020/11/19 12:55:00 UTC
[jira] [Created] (HTTPCLIENT-2129) Jakarta Commons-HttpClient/3.1
can bypass Regular and cause ssrf
ha1c9on created HTTPCLIENT-2129:
-----------------------------------
Summary: Jakarta Commons-HttpClient/3.1 can bypass Regular and cause ssrf
Key: HTTPCLIENT-2129
URL: https://issues.apache.org/jira/browse/HTTPCLIENT-2129
Project: HttpComponents HttpClient
Issue Type: Bug
Components: HttpClient (classic)
Affects Versions: 5.0, 3.1 (end of life)
Environment: all system jdk1.8
Reporter: ha1c9on
Attachments: screenshot.zip
code :
public byte[] getImage(String url) throws RuntimeException \{
if (!Pattern.matches("^(http|https):\\/\\/[^?#\\/]*\\.google\\.com\\/.*", url)) {
return "illegal url! ^(http|https):\\\\/\\\\/[^?#\\\\/]*\\\\.google\\\\.com\\\\/.*".getBytes();
} else \{
ByteArrayOutputStream out = new ByteArrayOutputStream();
try {
HttpClient client = new HttpClient();
GetMethod method = new GetMethod(url);
method.addRequestHeader("client", "httpclient3");
client.executeMethod(method);
InputStream in = method.getResponseBodyAsStream();
int i = false;
byte[] bt = new byte[1024];
int i;
while((i = in.read(bt)) != -1) {
out.write(bt, 0, i);
out.flush();
}
in.close();
} catch (Exception var9) \{
Exception e = var9;
try {
out.write(e.getMessage().getBytes());
out.flush();
} catch (IOException var8) \{
var8.printStackTrace();
}
}
return out.toByteArray();
}
}
you can see the Regular filtering does not allow access to other web pages.such as localhost
but use double @ can bypass the Regular and Cause ssrf
payload is :[http://ip/?url=http://@@127.0.0.1:22@w.google.com/]
Using this vulnerability, you can access your own server and cause a 302 jump to cause local access, thereby bypassing IP restrictions
[[reply|https://bz.apache.org/bugzilla/show_bug.cgi?id=64933#add_comment]] [[−]|https://bz.apache.org/bugzilla/show_bug.cgi?id=64933#]
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@hc.apache.org
For additional commands, e-mail: dev-help@hc.apache.org