Vigil@nce - Apache HttpClient: parameter injection with addRequestHeader
January 2013 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/offer
SYNTHESIS OF THE VULNERABILITY
When an attacker can control the parameter of the
addRequestHeader() method of Apache HttpClient, he can insert
additional HTTP headers.
Impacted products: Apache HttpClient
Severity: 1/4
Creation date: 11/01/2013
DESCRIPTION OF THE VULNERABILITY
The HTTP protocol uses text headers separated by line feeds. For
example:
GET / HTTP/1.0
Host: www.exemple.com
etc.
The addRequestHeader() method of Apache HttpClient is used to add
an HTTP header to a query. However, this function does not forbid
line feeds. An attacker can thus use it to add several HTTP
headers at once.
When an attacker can control the parameter of the
addRequestHeader() method of Apache HttpClient, he can therefore
insert additional HTTP headers.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/Apache-HttpClient-parameter-injection-with-addRequestHeader-12326