libsoup HTTP Smuggling and Server-Side Request Forgery Vulnerability via Hostname CRLF Injection

A vulnerability in libsoup, a library for sending network requests, allows for improper hostname validation. This flaw enables the injection of special characters into HTTP headers, which a remote attacker could exploit to perform HTTP smuggling. In this scenario, hidden malicious requests could be sent alongside legitimate ones. This vulnerability could lead to Server-Side Request Forgery (SSRF), where an attacker tricks the server into making unauthorized requests to other systems. The impact is considered low, as the vulnerable SoupServer component is not used in critical internet infrastructure.

Impact

Exploitation of this vulnerability causes an HTTP POST request to be sent in a context where a file read operation is expected, disrupting normal behavior. This issue could be particularly problematic if the URL is controlled by an attacker. For instance, in a scenario involving LibreOffice processing a malicious document, this vulnerability could be exploited to execute an unauthorized POST request, potentially causing significant issues in certain web applications.

Reproduction

To reproduce this vulnerability, use libsoup as a client to send a request with a malformed hostname that includes CRLF characters. This can be done by invoking 'soup_message_set_request_host_from_uri()' with a 'GUri' that has been crafted to include these characters. Once the request is sent, the HTTP server will interpret it as two separate requests, enabling an HTTP smuggling attack. This vulnerability can be exploited on servers that do not require DNS resolution for subdomains, and has been confirmed to work with nginx.