Package: links-ssl Version: 0.96.20020409-2 Severity: grave Tags: security Justification: user security hole
Hi, put this into an HTML file: <a href="http://localhost:12345/blah.php Host:blurgl.tld X-Blub:";>a</a> when using that link, links-ssl (I guess that this applies to links without ssl, too) will generate the following request to localhost, port 12345: | GET /blah.php | Host:blurgl.tld | X-Blub: HTTP/1.1 | Host: localhost:12345 | User-Agent: ELinks (0.4pre5; Linux 2.4.27 i686; 132x60) | Accept: */* | Connection: Keep-Alive Apart from the fact that this shouldn't happen, I could imagine at least this particular scenario to be used in an attack: On a sufficiently permissive HTTP server that allows the protocol version field to be missing and that accepts the first Host: header as the significant one, this could lead to cookies belonging to localhost:12345 getting into the hands of the virtual host blurgl.tld on the same server. Cya, Florian -- System Information Debian Release: 3.0 Architecture: i386 Kernel: Linux florz 2.4.27 #3 Sat Aug 28 04:55:31 CEST 2004 i686 Locale: LANG=C, [EMAIL PROTECTED] Versions of packages links-ssl depends on: ii libc6 2.2.5-11.8 GNU C Library: Shared libraries an ii libgpmg1 1.19.6-12 General Purpose Mouse Library [lib ii liblua40 4.0-4 Main interpreter library for the L ii liblualib40 4.0-4 Extension library for the Lua prog ii libssl0.9.6 0.9.6c-2.woody.7 SSL shared libraries -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
