lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <SKw_ToHIuGYva1PSf5wyhtjsAF3lJsdULyyEJXoci7eNUXAHVfX9xfir2ESPsbFoSHSW5muf3n20U1ny-TnWmhrbHo8-6yy-1Qi7wVc17Ko=@protonmail.ch>
Date: Tue, 24 Jun 2025 16:04:56 +0000
From: Brian Carpenter via Fulldisclosure <fulldisclosure@...lists.org>
To: "fulldisclosure@...lists.org" <fulldisclosure@...lists.org>
Subject: [FD] Remote DoS in httpx 1.7.0 – Out-of-Bounds Read via Malformed <title> Tag

Hey list,

You can remotely crash httpx v1.7.0 (by ProjectDiscovery) by serving a malformed <title> tag on your website. The bug is a classic out-of-bounds read in trimTitleTags() due to a missing bounds check when slicing the title string. It panics with:

panic: runtime error: slice bounds out of range [9:6]

Affects anyone using httpx in their automated scanning pipeline. One malformed HTML response = scanner down. Unit testing or fuzzing this function would’ve caught it in 5 minutes. But it’s “just a bug.” 😂

💥 Trigger input:

<title</></title>0

📍 Vulnerable code:

func trimTitleTags(title string) string {
    titleBegin := strings.Index(title, ">")
    titleEnd := strings.Index(title, "</")
    if titleEnd < 0 || titleBegin < 0 {
        return title
    }
    return title[titleBegin+1 : titleEnd] // ← PANIC here
}

✅ Fix:
https://github.com/projectdiscovery/httpx/pull/2198

📂 PoC + context:
https://github.com/projectdiscovery/httpx/issues/2197

Crash scanners. Create blind spots. Chain with HTML injection. Happy hunting.

Stay glitchy,

—geeknik
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ