Bug#302421: marked as done (links-ssl: handles line breaks in link URLs incorrectly)

Debian Bug Tracking System Sun, 03 Apr 2005 18:08:56 -0700

Your message dated Mon, 4 Apr 2005 02:52:45 +0200
with message-id <[EMAIL PROTECTED]>
and subject line Bug#302421: not valid
has caused the attached Bug report to be marked as done.


This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere.  Please contact me immediately.)

Debian bug tracking system administrator
(administrator, Debian Bugs database)

--------------------------------------
Received: (at submit) by bugs.debian.org; 31 Mar 2005 18:30:48 +0000
>From [EMAIL PROTECTED] Thu Mar 31 10:30:47 2005
Return-path: <[EMAIL PROTECTED]>
Received: from odnb-d9baa508.pool.mediaways.net (rain.florz.dyndns.org) 
[217.186.165.8] 
        by spohr.debian.org with esmtp (Exim 3.35 1 (Debian))
        id 1DH4RL-000118-00; Thu, 31 Mar 2005 10:30:47 -0800
Received: from florz.florz.dyndns.org ([192.168.0.121])
        by rain.florz.dyndns.org with esmtp (Exim 3.35 #1 (Debian))
        id 1DH4R3-0002v1-00; Thu, 31 Mar 2005 20:30:29 +0200
Received: from florz by florz.florz.dyndns.org with local (Exim 3.35 #1 
(Debian))
        id 1DH4R3-0000yh-00; Thu, 31 Mar 2005 20:30:29 +0200
From: Florian Zumbiehl <[EMAIL PROTECTED]>
To: Debian Bug Tracking System <[EMAIL PROTECTED]>
Subject: links-ssl: handles line breaks in link URLs incorrectly
X-Mailer: reportbug 1.50
Date: Thu, 31 Mar 2005 20:30:29 +0200
Message-Id: <[EMAIL PROTECTED]>
Delivered-To: [EMAIL PROTECTED]
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02 
        (1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-5.1 required=4.0 tests=BAYES_00,HAS_PACKAGE,
        HTML_MESSAGE,WEIRD_PORT autolearn=no 
        version=2.60-bugs.debian.org_2005_01_02
X-Spam-Level: 

Package: links-ssl
Version: 0.96.20020409-2
Severity: grave
Tags: security
Justification: user security hole

Hi,

put this into an HTML file:

<a href="http://localhost:12345/blah.php&#10;Host:blurgl.tld&#10;X-Blub:";>a</a>

when using that link, links-ssl (I guess that this applies to links without
ssl, too) will generate the following request to localhost, port 12345:

| GET /blah.php
| Host:blurgl.tld
| X-Blub: HTTP/1.1
| Host: localhost:12345
| User-Agent: ELinks (0.4pre5; Linux 2.4.27 i686; 132x60)
| Accept: */*
| Connection: Keep-Alive

Apart from the fact that this shouldn't happen, I could imagine at least
this particular scenario to be used in an attack: On a sufficiently
permissive HTTP server that allows the protocol version field to be
missing and that accepts the first Host: header as the significant
one, this could lead to cookies belonging to localhost:12345 getting
into the hands of the virtual host blurgl.tld on the same server.

Cya, Florian

-- System Information
Debian Release: 3.0
Architecture: i386
Kernel: Linux florz 2.4.27 #3 Sat Aug 28 04:55:31 CEST 2004 i686
Locale: LANG=C, [EMAIL PROTECTED]

Versions of packages links-ssl depends on:
ii  libc6                   2.2.5-11.8       GNU C Library: Shared libraries an
ii  libgpmg1                1.19.6-12        General Purpose Mouse Library [lib
ii  liblua40                4.0-4            Main interpreter library for the L
ii  liblualib40             4.0-4            Extension library for the Lua prog
ii  libssl0.9.6             0.9.6c-2.woody.7 SSL shared libraries


---------------------------------------
Received: (at 302421-done) by bugs.debian.org; 4 Apr 2005 00:52:55 +0000
>From [EMAIL PROTECTED] Sun Apr 03 17:52:55 2005
Return-path: <[EMAIL PROTECTED]>
Received: from lifeforce.hu (narya.grin.hu) [195.38.113.134] 
        by spohr.debian.org with esmtp (Exim 3.35 1 (Debian))
        id 1DIFpn-0006oC-00; Sun, 03 Apr 2005 17:52:55 -0700
Received: from localhost.lifeforce.hu
        ([127.0.0.1] helo=narya ident=grin)
        by narya.grin.hu with esmtpsa (TLS-1.0:DHE_RSA_AES_256_CBC_SHA:32)
        (Exim 4.50)
        id 1DIFpe-0003oL-Fg
        for [EMAIL PROTECTED]; Mon, 04 Apr 2005 02:52:53 +0200
Date: Mon, 4 Apr 2005 02:52:45 +0200
From: Peter Gervai <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
Subject: Re: Bug#302421: not valid
Message-ID: <[EMAIL PROTECTED]>
In-Reply-To: <[EMAIL PROTECTED]>
References: <[EMAIL PROTECTED]>
Organization: Disorganized
X-Mailer: Sylpheed-Claws 1.0.1cvs7.3 (GTK+ 2.6.2; i386-pc-linux-gnu)
Mime-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
X-Spam-Score: -5.8 (-----)
X-Scan-Signature: 30b12b17408a7bee7b88094d0fd9de6a
Delivered-To: [EMAIL PROTECTED]
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02 
        (1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-6.0 required=4.0 tests=BAYES_00,HAS_BUG_NUMBER 
        autolearn=no version=2.60-bugs.debian.org_2005_01_02
X-Spam-Level: 

links-ssl package was *removed* from Debian in june, 2004.

links and elinks (and links2 by the way) does not show any signs
of this bug.

closing.


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Bug#302421: marked as done (links-ssl: handles line breaks in link URLs incorrectly)

Reply via email to