what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

Eclipse Vert.x 3.5.1 HTTP Header Injection

Eclipse Vert.x 3.5.1 HTTP Header Injection
Posted Jun 13, 2018
Authored by Lukasz D.

Eclipse Vert.x versions 3.0.0 through 3.5.1 suffer from an HTTP header injection vulnerability.

tags | exploit, web
SHA-256 | ead21d1d6f83b7ca507718762f39d1619b3781521f8a6f6887698bae11fd431d

Eclipse Vert.x 3.5.1 HTTP Header Injection

Change Mirror Download
#############################################################
#
# COMPASS SECURITY ADVISORY
# https://www.compass-security.com/research/advisories/
#
#############################################################
#
# Product: Vert.x [1]
# CSNC ID: CSNC-2018-021
# Subject: HTTP Header Injection
# Risk: Medium
# Effect: Remotely exploitable
# Author: Lukasz D. (advisories@compass-security.com)
# Date: 12.06.2018
#
#############################################################

Introduction:
-------------
Eclipse Vert.x is a tool-kit for building reactive applications on the JVM.
Vert.x can be used for simple network utilities, sophisticated modern web
applications, HTTP/REST microservices, high volume event processing
or a full-blown back-end message-bus applications. Vert.x is used by many
different companies from real-time gaming to banking and everything in between.

Vert.x does not filter carriage return and line feed characters from values of
set HTTP response headers. This allows to manipulate values of the set HTTP
headers and to add arbitrary new headers. In particular, issuing a redirection
and manipulation of cookies set by the server is possible.

Affected:
---------
The following Vert.x versions are vulnerable:
- 3.0.0 - 3.5.1

Technical Description:
----------------------
The method putHeader(String name, String value) used to set new headers in the
HTTP response does not filter carriage return and line feed characters from
the header value. If a web application uses a user-provided parameter as
a value of the header, then it is possible for a user to add new HTTP headers
of his choice.

For example, a Vert.x-based web application may use the vulnerable method like
this: putHeader("User-Header", foo), where foo is the user-provided parameter.

Then:
Requesting /vulnerable?foo=bar will add a header: "User-Header: bar".
Requesting /vulnerable?foo=bar%0D%0ASet-Cookie:%20mycookie=hello will add
a header: "User-Header: bar" and additionally will set a new cookie
with name "mycookie" and value "hello".

Workaround / Fix:
-----------------
It needs to be ensured that every header value which is set based on
a user-provided parameter does not contain carriage return and line feed
characters.

Timeline:
---------
2018-02-22: Vulnerability discovered
2018-04-04: Initial vendor notification
2018-04-04: Initial vendor response
2018-06-04: Patched version released
2018-06-13: Public disclosure

References:
-----------
[1]: https://vertx.io/
Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    0 Files
  • 20
    Mar 20th
    0 Files
  • 21
    Mar 21st
    0 Files
  • 22
    Mar 22nd
    0 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    0 Files
  • 26
    Mar 26th
    0 Files
  • 27
    Mar 27th
    0 Files
  • 28
    Mar 28th
    0 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close