major bug fix reported by Ahmed Shawky (there was a possibility of double url encoding of parameter values)

2024-11-22 09:36:35 +03:00 · 2011-01-27 18:36:28 +00:00 · 2011-01-27 18:36:28 +00:00 · 81722b6881
commit 81722b6881
parent 03413bd5e0
4 changed files with 11 additions and 6 deletions
--- a/doc/THANKS
+++ b/doc/THANKS
@ -335,6 +335,9 @@ Sven Schluter <sschlueter@netzwerk.cc>
 Uemit Seren <uemit.seren@gmail.com>
    for reporting a minor adjustment when running with python 2.6

+Ahmed Shawky <ahmed@isecur1ty.org>
+    for reporting a major bug with improper handling of parameter values
+
 Brian Shura <bshura@appsecconsulting.com>
    for reporting a bug

--- a/lib/core/common.py
+++ b/lib/core/common.py
@ -45,6 +45,7 @@ from lib.core.data import logger
 from lib.core.data import paths
 from lib.core.data import queries
 from lib.core.convert import htmlunescape
+from lib.core.convert import urldecode
 from lib.core.convert import urlencode
 from lib.core.enums import DBMS
 from lib.core.enums import PLACE
@ -704,7 +705,7 @@ def parseTargetUrl():
        conf.port = 80

    if __urlSplit[3]:
-        conf.parameters[PLACE.GET] = __urlSplit[3]
+        conf.parameters[PLACE.GET] = urldecode(__urlSplit[3])

    conf.url = "%s://%s:%d%s" % (conf.scheme, conf.hostname, conf.port, conf.path)

--- a/lib/core/target.py
+++ b/lib/core/target.py
@ -16,6 +16,7 @@ import time
 from lib.core.common import dataToSessionFile
 from lib.core.common import paramToDict
 from lib.core.common import readInput
+from lib.core.convert import urldecode
 from lib.core.data import cmdLineOptions
 from lib.core.data import conf
 from lib.core.data import kb
@ -61,7 +62,7 @@ def __setRequestParams():

    if conf.data:
        conf.data = conf.data.replace("\n", " ")
-        conf.parameters[PLACE.POST] = conf.data
+        conf.parameters[PLACE.POST] = urldecode(conf.data)

        # Check if POST data is in xml syntax
        if re.match("[\n]*<(\?xml |soap\:|ns).*>", conf.data):
@ -104,7 +105,7 @@ def __setRequestParams():
        for httpHeader, headerValue in conf.httpHeaders:
            if httpHeader == PLACE.UA:
                # No need for url encoding/decoding the user agent
-                conf.parameters[PLACE.UA] = headerValue
+                conf.parameters[PLACE.UA] = urldecode(headerValue)

                condition  = not conf.testParameter
                condition |= PLACE.UA in conf.testParameter
--- a/lib/request/connect.py
+++ b/lib/request/connect.py
@ -409,16 +409,16 @@ class Connect:
            checkPayload(value)

        if PLACE.GET in conf.parameters:
-            get = conf.parameters[PLACE.GET] if place != PLACE.GET or not value else value
+            get = urlencode(conf.parameters[PLACE.GET]) if place != PLACE.GET or not value else value

        if PLACE.POST in conf.parameters:
-            post = conf.parameters[PLACE.POST] if place != PLACE.POST or not value else value
+            post = urlencode(conf.parameters[PLACE.POST]) if place != PLACE.POST or not value else value

        if PLACE.COOKIE in conf.parameters:
            cookie = conf.parameters[PLACE.COOKIE] if place != PLACE.COOKIE or not value else value

        if PLACE.UA in conf.parameters:
-            ua = conf.parameters[PLACE.UA] if place != PLACE.UA or not value else value
+            ua = urlencode(conf.parameters[PLACE.UA]) if place != PLACE.UA or not value else value

        if PLACE.URI in conf.parameters:
            uri = conf.url if place != PLACE.URI or not value else value