[Bug 59627] New: request.getRequestURL() does not check if host header value is a valid hostname format

Tue, 24 May 2016 10:01:15 -0700 

https://bz.apache.org/bugzilla/show_bug.cgi?id=59627

            Bug ID: 59627
           Summary: request.getRequestURL() does not check if host header
                    value is a valid hostname format
           Product: Tomcat 7
           Version: unspecified
          Hardware: PC
                OS: Windows NT
            Status: NEW
          Severity: normal
          Priority: P2
         Component: Servlet & JSP API
          Assignee: [email protected]
          Reporter: [email protected]

request.getRequestURL() method replaces the value of host header in the URL
before returning the value but it does not check if the value is in correct
hostname format.

Consider the following example:

GET /getReqURL/getURL HTTP/1.1
Host: localhost:8888
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:44.0) Gecko/20100101
Firefox/44.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Cache-Control: max-age=0

In the above request, request.getRequestURL() returns
http://localhost:8888/getReqURL/getURL

If the above request is modified and host header is changed to:

GET /getReqURL/getURL HTTP/1.1
Host: <script>alert(1)</script>
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:44.0) Gecko/20100101
Firefox/44.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Cache-Control: max-age=0

request.getRequestURL() will return the following:
<script>alert(1)</script>/getReqURL/getUR

As per RFC2616 does not specify restrictions for a valid host header, this
results in lack of trust in value of request.getRequestURL()

Why this is a security issue:

Many web applications which uses the servlet API may depend on
request.getRequestURL() for internal URL redirection or displaying the complete
request URL path.

ex: response.write("Complete Request URL" : request.getRequestURL() );
This can result in an XSS if the Host header is modified.

-- 
You are receiving this mail because:
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to