c4-pre-sort
commented
3 months ago 141345 marked the issue as insufficient quality report
Closed c4-bot-2 closed 3 months ago
c4-pre-sort
commented
3 months ago 141345 marked the issue as insufficient quality report
141345
commented
3 months ago Out of scope
c4-judge
commented
3 months ago OpenCoreCH marked the issue as unsatisfactory: Invalid
Lines of code
https://github.com/code-423n4/2024-03-phala-network/blob/a01ffbe992560d8d0f17deadfb9b9a2bed38377e/phala-blockchain/Cargo.lock#L2137
Vulnerability details
Impact
In hyper from version 0.12.0 and before versions 0.13.10 and 0.14.3 there is a vulnerability that can enable a request smuggling attack. The HTTP server code had a flaw that incorrectly understands some requests with multiple transfer-encoding headers to have a chunked payload, when it should have been rejected as illegal. This combined with an upstream HTTP proxy that understands the request payload boundary differently can result in "request smuggling" or "desync attacks".
Proof of Concept
Provide direct links to all referenced code in GitHub. Add screenshots, logs, or any other relevant proof that illustrates the concept.
Recommended Mitigation Steps
Since there a few files in the scope of this audit, that are using »HttpRequest«, update of hyper package is advised to version 0.14.3 or above.
Assessed type
Upgradable