A Crash, Not a Shell SolarWinds Serv-U CVE-2026-28318

src/network-services-pentesting/pentesting-web/special-http-headers.md

@@ -117,6 +117,52 @@ For more info about HTTP Request Smuggling check:
 - **`Content-Language`**: Describes the human language(s) intended for the audience, so that it allows a user to differentiate according to the users' own preferred language.
 - **`Content-Location`**: Indicates an alternate location for the returned data.
 
+### Unsupported request-body encodings
+
+`Content-Encoding` is not only interesting in **responses**. Some products also inspect it on **requests** and will transparently decompress the body before authentication, routing, or application logic. This creates a useful attack surface when the server:
+
+- accepts **`POST`/`PUT`** bodies before authentication
+- exposes a decompressor for values like **`gzip`** or **`deflate`**
+- rejects unsupported encodings only under a secondary config flag, or forgets to reject them at all
+
+This can turn a single request into a **pre-auth parser/decompressor DoS** or, in the worst case, a memory-corruption sink. Test weird or unnecessary request-body encodings whenever the product does not actually need them.
+
+Minimal probe pattern:
+
+```http
+POST / HTTP/1.1
+Host: target
+Content-Encoding: deflate
+Content-Length: 1
+
+A
+```
+
+Notes:
+
+- The body may only need to be **non-empty**; sometimes it does **not** need to be valid compressed data.
+- Prefer replaying this only in labs. Against production targets, first look for a **safe differential check**.
+
+### Safe differential detection using `identity`
+
+When a vendor fixes this class of bug by adding an **input-validation gate** before body processing, you can often fingerprint patch status safely without reaching the dangerous decompressor. A common pattern is:
+
+- **Patched**: any request with a body and a non-empty `Content-Encoding` is rejected with **`415 Unsupported Media Type`**
+- **Vulnerable**: the same request is processed normally because the validation gate is missing
+
+Safe example:
+
+```http
+POST / HTTP/1.1
+Host: target
+Content-Encoding: identity
+Content-Length: 1
+
+A
+```
+
+If `identity` returns `415`, the product is likely enforcing a generic **"no encoded request bodies"** rule. If it accepts the request, review whether request decompression is reachable and whether `gzip`/`deflate` become dangerous. This is especially useful for managed file transfer products, admin portals, and appliances exposing web interfaces by default.
+
 From a pentest point of view this information is usually "useless", but if the resource is **protected** by a 401 or 403 and you can find some **way** to **get** this **info**, this could be **interesting.**\
 For example a combination of **`Range`** and **`Etag`** in a HEAD request can leak the content of the page via HEAD requests:
 
@@ -302,6 +348,9 @@ The headers reach the `exec` component unfiltered, resulting in remote command e
 ## References
 
 - [CVE-2025-27636 – RCE in Apache Camel via header casing bypass (OffSec blog)](https://www.offsec.com/blog/cve-2025-27636/)
+- [A Crash, Not a Shell: SolarWinds Serv-U CVE-2026-28318](https://bishopfox.com/blog/a-crash-not-a-shell-solarwinds-serv-u-cve-2026-28318)
+- [Bishop Fox safe checker for CVE-2026-28318](https://github.com/BishopFox/CVE-2026-28318-check)
+- [SolarWinds Serv-U 15.5.4 Hotfix 1 release notes](https://documentation.solarwinds.com/en/success_center/servu/content/release_notes/servu_15-5-4-hotfix-1_release_notes.htm)
 - [https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Disposition](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Disposition)
 - [https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers)
 - [https://web.dev/security-headers/](https://web.dev/security-headers/)