Bugtraq mailing list archives
Trouble with cookies and redirect
From: "Ulf Harnhammar" <metaur () prontomail com>
Date: Sat, 17 Nov 2001 13:55:28 +0100
All this talk about cookies has got me thinking about another, related problem. There is lots of HTTP redirecting code floating around the net, and some of it decodes the incoming data from its URL- encoded state. This makes it possible to include CR+LF characters in the URL-encoded data (by typing in something like "%0d%0a"), which in turn allows an attacker to set cookies that will be sent from the server to the victim. If the code looks like this (in Perl): print "Location: $url\015\012\015\012"; and the attacker somehow manages to give $url the value "http://slashdot.org/\015\012Set-Cookie: evil=natas", a cookie will be set before redirecting. If this is used in a system where users can send in links that other users are redirected to, the attackers can set arbitrary cookies that will be sent from the server to the victim(s). Not very good. Fix: remove all CR and LF characters from $url before redirecting: $url =~ tr/\015\012//d; // Ulf Härnhammar metaur () prontomail com ______________________________________________________________ Get Your Free E-mail at http://www.prontomail.com
Current thread:
- Trouble with cookies and redirect Ulf Harnhammar (Nov 19)