Project: libhv
Tested Version: v1.3.0
(commit 579938146ff0cd99d379c038bea80d3241c5bc36
)
Github Repository: https://github.com/ithewei/libhv
libhv
is vulnerable to CRLF Injection when untrusted user input is used to set request headers. An attacker can add the \r\n
(carriage return line feeds) characters and inject additional headers in the request sent.
References about this vulnerability and its impact:
- https://owasp.org/www-community/vulnerabilities/CRLF_Injection
- https://cwe.mitre.org/data/definitions/113.html
References to similar issues affecting other projects:
- https://security.snyk.io/vuln/SNYK-SWIFT-SWIFTSERVERASYNCHTTPCLIENT-3237994
- https://security.snyk.io/vuln/SNYK-JS-UNDICI-2980276
Install and build the project https://github.com/ithewei/libhv#%EF%B8%8F-build
git clone https://github.com/ithewei/libhv.git
cd libhv
mkdir build
cd build
cmake ..
cmake --build .
The PoC demonstrates how it's possible to add arbitrary headers.
- create and start local server to log incoming requests:
python3 server.py
-
paste the
http_client_test.cpp
content under https://github.com/ithewei/libhv/blob/master/examples/http_client_test.cpp -
run the client
cmake --build .
./bin/http_client_test
Server logs:
Starting server...
GET request,
Path: /test1
Headers:
Accept: */*
Connection: keep-alive
Host: 127.0.0.1:8080
MyHeader: test
evil: hello1
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.132 Safari/537.36
127.0.0.1 - - [16/May/2023 12:20:28] "GET /test1 HTTP/1.1" 200 -
If untrusted user input is placed in header values, a malicious user could inject additional headers. It can lead to logical errors and other misbehaviours.
Alessio Della Libera
我为什么没有理解这会有产生什么问题?多加一个请求头,会有什么影响 吗?