[23181] in bugtraq
Trouble with cookies and redirect
daemon@ATHENA.MIT.EDU (Ulf Harnhammar)
Mon Nov 19 15:21:10 2001
From: "Ulf Harnhammar" <metaur@prontomail.com>
Message-Id: <F1DD0D09CBB7CBA47A6066BD37EF1239@metaur.prontomail.com>
Date: Sat, 17 Nov 2001 13:55:28 +0100
Content-Type: text/plain; charset=iso-8859-1
To: bugtraq@securityfocus.com
Mime-Version: 1.0
Content-Transfer-Encoding: 8bit
All this talk about cookies has got me thinking about another,
related problem. There is lots of HTTP redirecting code floating
around the net, and some of it decodes the incoming data from its URL-
encoded state. This makes it possible to include CR+LF characters in
the URL-encoded data (by typing in something like "%0d%0a"), which in
turn allows an attacker to set cookies that will be sent from the
server to the victim.
If the code looks like this (in Perl):
print "Location: $url\015\012\015\012";
and the attacker somehow manages to give $url the
value "http://slashdot.org/\015\012Set-Cookie: evil=natas", a cookie
will be set before redirecting. If this is used in a system where
users can send in links that other users are redirected to, the
attackers can set arbitrary cookies that will be sent from the server
to the victim(s). Not very good.
Fix: remove all CR and LF characters from $url before redirecting:
$url =~ tr/\015\012//d;
// Ulf Härnhammar
metaur@prontomail.com
______________________________________________________________
Get Your Free E-mail at http://www.prontomail.com
