https://bz.apache.org/bugzilla/show_bug.cgi?id=64933
Bug ID: 64933
Summary: Jakarta Commons-HttpClient/3.1 can bypass Regular and
cause ssrf
Product: Apache httpd-test
Version: unspecified
Hardware: PC
OS: All
Status: NEW
Severity: major
Priority: P2
Component: flood
Assignee: [email protected]
Reporter: [email protected]
Target Milestone: ---
Created attachment 37577
--> https://bz.apache.org/bugzilla/attachment.cgi?id=37577&action=edit
screenshots
code :
public byte[] getImage(String url) throws RuntimeException {
if
(!Pattern.matches("^(http|https):\\/\\/[^?#\\/]*\\.google\\.com\\/.*", url)) {
return "illegal url!
^(http|https):\\\\/\\\\/[^?#\\\\/]*\\\\.google\\\\.com\\\\/.*".getBytes();
} else {
ByteArrayOutputStream out = new ByteArrayOutputStream();
try {
HttpClient client = new HttpClient();
GetMethod method = new GetMethod(url);
method.addRequestHeader("client", "httpclient3");
client.executeMethod(method);
InputStream in = method.getResponseBodyAsStream();
int i = false;
byte[] bt = new byte[1024];
int i;
while((i = in.read(bt)) != -1) {
out.write(bt, 0, i);
out.flush();
}
in.close();
} catch (Exception var9) {
Exception e = var9;
try {
out.write(e.getMessage().getBytes());
out.flush();
} catch (IOException var8) {
var8.printStackTrace();
}
}
return out.toByteArray();
}
}
you can see the Regular filtering does not allow access to other web pages.such
as localhost
but use double @ can bypass the Regular and Cause ssrf
payload is :http://ip/?url=http://@@127.0.0.1:[email protected]/
Using this vulnerability, you can access your own server and cause a 302 jump
to cause local access, thereby bypassing IP restrictions
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
