You are viewing a plain text version of this content. The canonical link for it is here.
Posted to bugs@httpd.apache.org by bu...@apache.org on 2020/11/19 10:14:38 UTC
[Bug 64933] New: Jakarta Commons-HttpClient/3.1 can bypass Regular
and cause ssrf
https://bz.apache.org/bugzilla/show_bug.cgi?id=64933
Bug ID: 64933
Summary: Jakarta Commons-HttpClient/3.1 can bypass Regular and
cause ssrf
Product: Apache httpd-test
Version: unspecified
Hardware: PC
OS: All
Status: NEW
Severity: major
Priority: P2
Component: flood
Assignee: bugs@httpd.apache.org
Reporter: 1287011602@qq.com
Target Milestone: ---
Created attachment 37577
--> https://bz.apache.org/bugzilla/attachment.cgi?id=37577&action=edit
screenshots
code :
public byte[] getImage(String url) throws RuntimeException {
if
(!Pattern.matches("^(http|https):\\/\\/[^?#\\/]*\\.google\\.com\\/.*", url)) {
return "illegal url!
^(http|https):\\\\/\\\\/[^?#\\\\/]*\\\\.google\\\\.com\\\\/.*".getBytes();
} else {
ByteArrayOutputStream out = new ByteArrayOutputStream();
try {
HttpClient client = new HttpClient();
GetMethod method = new GetMethod(url);
method.addRequestHeader("client", "httpclient3");
client.executeMethod(method);
InputStream in = method.getResponseBodyAsStream();
int i = false;
byte[] bt = new byte[1024];
int i;
while((i = in.read(bt)) != -1) {
out.write(bt, 0, i);
out.flush();
}
in.close();
} catch (Exception var9) {
Exception e = var9;
try {
out.write(e.getMessage().getBytes());
out.flush();
} catch (IOException var8) {
var8.printStackTrace();
}
}
return out.toByteArray();
}
}
you can see the Regular filtering does not allow access to other web pages.such
as localhost
but use double @ can bypass the Regular and Cause ssrf
payload is :http://ip/?url=http://@@127.0.0.1:22@w.google.com/
Using this vulnerability, you can access your own server and cause a 302 jump
to cause local access, thereby bypassing IP restrictions
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
[Bug 64933] Jakarta Commons-HttpClient/3.1 can bypass Regular and
cause ssrf
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=64933
Ruediger Pluem <rp...@apache.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |RESOLVED
Resolution|--- |INVALID
--- Comment #1 from Ruediger Pluem <rp...@apache.org> ---
This is the wrong project. Yo likely need to open the issue at
https://issues.apache.org/jira/projects/HTTPCLIENT/.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org