Lucene search

K
hackeroneAlbinowaxH1:1391549
HistoryNov 04, 2021 - 1:39 p.m.

Internet Bug Bounty: Request line injection via HTTP/2 in Apache mod_proxy

2021-11-0413:39:46
albinowax
hackerone.com
$1200
106

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

5 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:L/Au:N/C:N/I:P/A:N

0.002 Low

EPSS

Percentile

57.7%

I’ve written this issue up fully here: https://portswigger.net/research/http2#request

In case it’s useful, here’s the original report as sent to Apache:

> I’d like to report a vulnerability in Apache mod_proxy when used with HTTP/2 enabled.
>
> It fails to reject HTTP requests that contain spaces in the :method HTTP/2 pseudo-header. This leads to a request-line injection vulnerability when it downgrades the requests to HTTP/1.1 and routes them on to the backend.
>
> Attacker HTTP/2 request:
> > :method: GET /anything HTTP/1.1 > :path: / > :authority: psres.net > Accept-Encoding: gzip, deflate >
> Resulting request forwarded to the backend by mod_proxy:
> > GET /anything HTTP/1.1 / HTTP/1.1 > Host:: psres.net > Accept-Encoding: gzip, deflate >
> Provided the back-end server tolerates trailing junk in request lines, this enables attackers to bypass front-end security rules, poison web caches, and > change the protocol to HTTP/0.9 or 1.0, potentially enabling further attacks. I have identified some vulnerable systems in the wild.

Please let me know if you’d like any additional information

Impact

This lets attackers bypass front-end security rules like block-rules and escape subfolders. In some cases it may enable further attacks via protocol-downgrades and cache poisoning.

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

5 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:L/Au:N/C:N/I:P/A:N

0.002 Low

EPSS

Percentile

57.7%