You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@hc.apache.org by "Oleg Kalnichevski (Jira)" <ji...@apache.org> on 2020/11/19 13:10:00 UTC
[jira] [Resolved] (HTTPCLIENT-2129) Jakarta Commons-HttpClient/3.1
can bypass Regular and cause ssrf
[ https://issues.apache.org/jira/browse/HTTPCLIENT-2129?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Oleg Kalnichevski resolved HTTPCLIENT-2129.
-------------------------------------------
Resolution: Information Provided
HttpClient 3.1 is at end of life and is no longer supported.
Oleg
> Jakarta Commons-HttpClient/3.1 can bypass Regular and cause ssrf
> ------------------------------------------------------------------
>
> Key: HTTPCLIENT-2129
> URL: https://issues.apache.org/jira/browse/HTTPCLIENT-2129
> Project: HttpComponents HttpClient
> Issue Type: Bug
> Components: HttpClient (classic)
> Affects Versions: 3.1 (end of life), 5.0
> Environment: all system jdk1.8
> Reporter: ha1c9on
> Priority: Minor
> Attachments: screenshot.zip
>
>
> code :
> public byte[] getImage(String url) throws RuntimeException \{
> if (!Pattern.matches("^(http|https):\\/\\/[^?#\\/]*\\.google\\.com\\/.*", url)) {
> return "illegal url! ^(http|https):\\\\/\\\\/[^?#\\\\/]*\\\\.google\\\\.com\\\\/.*".getBytes();
> } else \{
> ByteArrayOutputStream out = new ByteArrayOutputStream();
> try {
> HttpClient client = new HttpClient();
> GetMethod method = new GetMethod(url);
> method.addRequestHeader("client", "httpclient3");
> client.executeMethod(method);
> InputStream in = method.getResponseBodyAsStream();
> int i = false;
> byte[] bt = new byte[1024];
> int i;
> while((i = in.read(bt)) != -1) {
> out.write(bt, 0, i);
> out.flush();
> }
> in.close();
> } catch (Exception var9) \{
> Exception e = var9;
> try {
> out.write(e.getMessage().getBytes());
> out.flush();
> } catch (IOException var8) \{
> var8.printStackTrace();
> }
> }
> return out.toByteArray();
> }
> }
> you can see the Regular filtering does not allow access to other web pages.such as localhost
> but use double @ can bypass the Regular and Cause ssrf
> payload is :[http://ip/?url=http://@@127.0.0.1:22@w.google.com/]
> Using this vulnerability, you can access your own server and cause a 302 jump to cause local access, thereby bypassing IP restrictions
> [[reply|https://bz.apache.org/bugzilla/show_bug.cgi?id=64933#add_comment]] [[−]|https://bz.apache.org/bugzilla/show_bug.cgi?id=64933#]
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@hc.apache.org
For additional commands, e-mail: dev-help@hc.apache.org