Headline
CVE-2022-31081: Fix Content-Length ', '-separated string issues · libwww-perl/HTTP-Daemon@e84475d
HTTP::Daemon is a simple http server class written in perl. Versions prior to 6.15 are subject to a vulnerability which could potentially be exploited to gain privileged access to APIs or poison intermediate caches. It is uncertain how large the risks are, most Perl based applications are served on top of Nginx or Apache, not on the HTTP::Daemon. This library is commonly used for local development and tests. Users are advised to update to resolve this issue. Users unable to upgrade may add additional request handling logic as a mitigation. After calling my $rqst = $conn->get_request() one could inspect the returned HTTP::Request object. Querying the ‘Content-Length’ (my $cl = $rqst->header('Content-Length')) will show any abnormalities that should be dealt with by a 400 response. Expected strings of ‘Content-Length’ SHOULD consist of either a single non-negative integer, or, a comma separated repetition of that number. (that is 42 or 42, 42, 42). Anything else MUST be rejected.
@@ -288,6 +288,32 @@ READ_HEADER: } elsif ($ct_len) {
After a security issue, we ensure we comply to # RFC-7230 – HTTP/1.1 Message Syntax and Routing # section 3.3.2 – Content-Length # section 3.3.3 – Message Body Length
split and clean up Content-Length ', ' separated string my @vals = map {my $str = $_; $str =~ s/^\s+//; $str =~ s/\s+$//; $str } split ',’, $ct_len; # check that they are all numbers (RFC: Content-Length = 1*DIGIT) my @nums = grep { /^[0-9]+$/} @vals; unless (@vals == @nums) { $self->send_error(400); $self->reason(“Content-Length value must be a unsigned integer”); return; } # check they are all the same my $ct_len = shift @nums; foreach (@nums) { next if $_ == $ct_len; $self->send_error(400); $self->reason(“Content-Length values are not the same”); return; } # ensure we have now a fixed header, with only 1 value $r->header(‘Content-Length’ => $ct_len);
Plain body specified by “Content-Length” my $missing = $ct_len - length($buf); while ($missing > 0) {
Related news
Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Hotspot). Supported versions that are affected are Oracle Java SE: 8u361, 8u361-perf, 11.0.18, 17.0.6; Oracle GraalVM Enterprise Edition: 20.3.9, 21.3.5 and 22.3.1. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through...
Ubuntu Security Notice 5520-2 - USN-5520-1 fixed a vulnerability in HTTP-Daemon. This update provides the corresponding update for Ubuntu 14.04 ESM and Ubuntu 16.04 ESM. It was discovered that HTTP-Daemon incorrectly handled certain crafted requests. A remote attacker could possibly use this issue to perform an HTTP Request Smuggling attack.
Ubuntu Security Notice 5520-1 - It was discovered that HTTP-Daemon incorrectly handled certain crafted requests. A remote attacker could possibly use this issue to perform an HTTP Request Smuggling attack.