You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@hc.apache.org by "ha1c9on (Jira)" <ji...@apache.org> on 2020/11/19 12:55:00 UTC

[jira] [Created] (HTTPCLIENT-2129) Jakarta Commons-HttpClient/3.1 can bypass Regular and cause ssrf

ha1c9on created HTTPCLIENT-2129:
-----------------------------------

             Summary:  Jakarta Commons-HttpClient/3.1 can bypass Regular and cause ssrf 
                 Key: HTTPCLIENT-2129
                 URL: https://issues.apache.org/jira/browse/HTTPCLIENT-2129
             Project: HttpComponents HttpClient
          Issue Type: Bug
          Components: HttpClient (classic)
    Affects Versions: 5.0, 3.1 (end of life)
         Environment: all system jdk1.8
            Reporter: ha1c9on
         Attachments: screenshot.zip

code :
    public byte[] getImage(String url) throws RuntimeException \{
        if (!Pattern.matches("^(http|https):\\/\\/[^?#\\/]*\\.google\\.com\\/.*", url)) {
            return "illegal url! ^(http|https):\\\\/\\\\/[^?#\\\\/]*\\\\.google\\\\.com\\\\/.*".getBytes();
        } else \{
            ByteArrayOutputStream out = new ByteArrayOutputStream();

            try {
                HttpClient client = new HttpClient();
                GetMethod method = new GetMethod(url);
                method.addRequestHeader("client", "httpclient3");
                client.executeMethod(method);
                InputStream in = method.getResponseBodyAsStream();
                int i = false;
                byte[] bt = new byte[1024];

                int i;
                while((i = in.read(bt)) != -1) {
                    out.write(bt, 0, i);
                    out.flush();
                }

                in.close();
            } catch (Exception var9) \{
                Exception e = var9;

                try {
                    out.write(e.getMessage().getBytes());
                    out.flush();
                } catch (IOException var8) \{
                    var8.printStackTrace();
                }
            }

            return out.toByteArray();
        }
    }


you can see the Regular filtering does not allow access to other web pages.such as localhost 
but use double @ can bypass the Regular and Cause ssrf 

payload is :[http://ip/?url=http://@@127.0.0.1:22@w.google.com/]
 Using this vulnerability, you can access your own server and cause a 302 jump to cause local access, thereby bypassing IP restrictions
[[reply|https://bz.apache.org/bugzilla/show_bug.cgi?id=64933#add_comment]] [[−]|https://bz.apache.org/bugzilla/show_bug.cgi?id=64933#]



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@hc.apache.org
For additional commands, e-mail: dev-help@hc.apache.org