WebApp Sec mailing list archives
Is this exploitable?..
From: "Benjamin Livshits" <livshits () cs stanford edu>
Date: Wed, 15 Dec 2004 14:42:24 -0800
I was looking at the follong code in J2EE 1.4.1 HttpServlet.java and it looks like it may be possible to exploit it: 672 protected void doTrace(HttpServletRequest req, HttpServletResponse resp) 673 throws ServletException, IOException 674 { 675 676 int responseLength; 677 678 String CRLF = "\r\n"; 679 String responseString = "TRACE "+ req.getRequestURI()+ 680 " " + req.getProtocol(); 681 682 Enumeration reqHeaderEnum = req.getHeaderNames(); 683 684 while( reqHeaderEnum.hasMoreElements() ) { 685 String headerName = (String)reqHeaderEnum.nextElement(); 686 responseString += CRLF + headerName + ": " + 687 req.getHeader(headerName); 688 } 689 690 responseString += CRLF; 691 692 responseLength = responseString.length(); 693 694 resp.setContentType("message/http"); 695 resp.setContentLength(responseLength); 696 ServletOutputStream out = resp.getOutputStream(); 697 out.print(responseString); 698 out.close(); 699 return; 700 } It looks like responseString obtained from req is forgeable and this may conceivably lead to a vulnerability down the line, it seems, when responseString is output with a call to out.print(responseString). Please advise. -Ben
Current thread:
- Is this exploitable?.. Benjamin Livshits (Dec 16)
- Re: Is this exploitable?.. Peter Conrad (Dec 20)
- RE: Is this exploitable?.. Benjamin Livshits (Dec 20)
- Re: Is this exploitable?.. Peter Conrad (Dec 20)
- RE: Is this exploitable?.. Benjamin Livshits (Dec 20)
- Re: Is this exploitable?.. Stephen de Vries (Dec 20)
- Re: Is this exploitable?.. Tim (Dec 20)
- Re: Is this exploitable?.. Peter Conrad (Dec 20)