BusyBox Wget HTTP Header Injection Vulnerability

A header injection vulnerability has been identified in BusyBox Wget versions through 1.3.7. This issue arises because Wget accepts raw carriage return (CR), line feed (LF), and other C0 control bytes in the HTTP request-target, including the path and query components. The vulnerability allows attackers to split the request line and inject custom headers. The problem is exacerbated by Wget's failure to properly sanitize these control characters before sending the request, particularly when the URL includes user input or is crafted to exploit this weakness.

Impact

Exploitation of this vulnerability allows for arbitrary HTTP header injection, which can bypass application-level checks, alter routing, or cause cache poisoning, depending on the environment.

Reproduction

The vulnerability can be reproduced by sending a crafted URL that includes raw CR, LF, or C0 control bytes in the request-target. This can be done using BusyBox Wget with the HTTP proxy set to intercept and display the injected headers. The server receiving the request will show the injected headers, confirming the successful exploitation of the vulnerability.

Remediation

Users are advised to update to BusyBox Wget versions 1.3.7 and later, where this vulnerability has been patched. The patch involves rejecting control characters and raw spaces in the request-target, and properly sanitizing FTP control path data.