NULL Pointer Dereference and Daemon Crash in Hydra 0.1.8 when Processing POST Requests without Content-Length Header

NULL Pointer Dereference and Daemon Crash in Hydra 0.1.8 when Processing POST Requests without Content-Length Header

CVE-2019-17502 · HIGH Severity

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Hydra through 0.1.8 has a NULL pointer dereference and daemon crash when processing POST requests that lack a Content-Length header. read.c, request.c, and util.c contribute to this. The process_header_end() function calls boa_atoi(), which ultimately calls atoi() on a NULL pointer.

Learn more about our Web Application Penetration Testing UK.