Headline
CVE-2023-45539: Ambiguity about how to deal with received fragments in URI from Willy Tarreau on 2023-07-27 ([email protected] from July to September 2023)
HAProxy before 2.8.2 accepts # as part of the URI component, which might allow remote attackers to obtain sensitive information or have unspecified other impact upon misinterpretation of a path_end rule, such as routing index.html#.png to a static server.
Hello,
An haproxy user rightfully reported that we don’t ignore the fragments in the URIs we receive. While that’s historically true and comes back from the old days where any byte from one side would be passed to the other side, I’m facing a dilemma about how to best deal with it.
Indeed, RFC9110 is pretty clear about the fact that URIs do not contain the fragment component, and even refers to RFC3986 that omits it for scheme-based absolute URIs. But as often, this only concerns senders and does not suggest much about how to proceed on the receiver when that rule is violated. I could be tempted to say that if a fragment is present, the the rule is violated and I should just reject the request as bad with a
- I tried various web servers (among which Apache and NGINX) and all silently trim any received fragment, which leaves me with even more doubt about the suitability of the 400 here…
We could also consider that we continue to accept it and just trim it from the functions that extract it for internal processing, but that would mean we’d continue to pass it to the server, which is contrary to the rules imposed to a client (even though we’re a gateway here, but still we try hard to comply as much as possible and sometimes to repair damaged protocol elements if needed and permitted).
We could also completely trim this one when receiving the request, and probably match more closely what the few servers I’ve tested seem to do, but given that we’re not supposed to receive them, I’m wondering if we’re not hiding the dust under the carpet. It will also mean that they wouldn’t appear in logs anymore, preventing from observing them.
Thus I’d like to collect some opinions here from other implementers. Are there any who reject requests containing fragments in the URI ? If not, are there any good reasons for not doing so (e.g. clients caught sending them from time to time in the past and situation nor re-evaluated since; lack of clarity in older versions of the spec, etc) ?
Without strong support for rejecting these as invalid, I’m probably going to silently fix these requests by trimming the fragment like others seem to do, but I really do not like doing such things that hide interoperability issues without a good reason first. We already have normalization rules in place to either reject or trim, but they’re currently opt-in so we can’t count on that to collect more feedback.
Thanks in advance, Willy
Received on Thursday, 27 July 2023 09:05:14 UTC
Related news
Ubuntu Security Notice 6530-2 - Seth Manesse and Paul Plasil discovered that HAProxy incorrectly handled URI components containing the hash character. A remote attacker could possibly use this issue to obtain sensitive information, or to bypass certain path_end rules.
Red Hat Security Advisory 2024-1142-03 - An update for haproxy is now available for Red Hat Enterprise Linux 9.
Red Hat Security Advisory 2024-1089-03 - An update for haproxy is now available for Red Hat Enterprise Linux 9.2 Extended Update Support.
Debian Linux Security Advisory 5590-1 - Several vulnerabilities were discovered in HAProxy, a fast and reliable load balancing reverse proxy, which can result in HTTP request smuggling or information disclosure.
Ubuntu Security Notice 6530-1 - It was discovered that HAProxy incorrectly handled URI components containing the hash character. A remote attacker could possibly use this issue to obtain sensitive information, or to bypass certain path_end rules.