You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by bu...@apache.org on 2016/05/24 17:00:25 UTC
[Bug 59627] New: request.getRequestURL() does not check if host
header value is a valid hostname format
https://bz.apache.org/bugzilla/show_bug.cgi?id=59627
Bug ID: 59627
Summary: request.getRequestURL() does not check if host header
value is a valid hostname format
Product: Tomcat 7
Version: unspecified
Hardware: PC
OS: Windows NT
Status: NEW
Severity: normal
Priority: P2
Component: Servlet & JSP API
Assignee: dev@tomcat.apache.org
Reporter: dhardik007@gmail.com
request.getRequestURL() method replaces the value of host header in the URL
before returning the value but it does not check if the value is in correct
hostname format.
Consider the following example:
GET /getReqURL/getURL HTTP/1.1
Host: localhost:8888
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:44.0) Gecko/20100101
Firefox/44.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Cache-Control: max-age=0
In the above request, request.getRequestURL() returns
http://localhost:8888/getReqURL/getURL
If the above request is modified and host header is changed to:
GET /getReqURL/getURL HTTP/1.1
Host: <script>alert(1)</script>
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:44.0) Gecko/20100101
Firefox/44.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Cache-Control: max-age=0
request.getRequestURL() will return the following:
<script>alert(1)</script>/getReqURL/getUR
As per RFC2616 does not specify restrictions for a valid host header, this
results in lack of trust in value of request.getRequestURL()
Why this is a security issue:
Many web applications which uses the servlet API may depend on
request.getRequestURL() for internal URL redirection or displaying the complete
request URL path.
ex: response.write("Complete Request URL" : request.getRequestURL() );
This can result in an XSS if the Host header is modified.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[Bug 59627] request.getRequestURL() does not check if host header
value is a valid hostname format
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=59627
dhardik007@gmail.com changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |dhardik007@gmail.com
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[Bug 59627] request.getRequestURL() does not check if host header
value is a valid hostname format
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=59627
Remy Maucherat <re...@apache.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Resolution|--- |INVALID
Status|NEW |RESOLVED
--- Comment #1 from Remy Maucherat <re...@apache.org> ---
It is up to you to do the appropriate filtering when writing back any user
data. Same for getHeader, etc etc etc, the list is virtually endless.
Please never attempt to report possible security issues through BZ, Tomcat has
a dedicated security mailing list where confidentiality can be maintained.
http://tomcat.apache.org/security.html
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[Bug 59627] request.getRequestURL() does not check if host header
value is a valid hostname format
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=59627
--- Comment #2 from Mark Thomas <ma...@apache.org> ---
There is another reason this issue is invalid. It can only happen with a
malicious client.
A normal client will never connect to a server while sending a host header for
something that it can't resolve to an IP address. It takes a malicious client
to do that. If an attacker has managed to install a malicious client on a
vicim's PC it is game over before the first byte is sent to the server.
If the attacker has installed this on their own machine then they are free to
attack themselves - and we don't care about that.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org