Trouble with cookies and redirect

["Ulf Harnhammar" <metaur () prontomail com>]

All this talk about cookies has got me thinking about another,
related problem. There is lots of HTTP redirecting code floating
around the net, and some of it decodes the incoming data from its URL-
encoded state. This makes it possible to include CR+LF characters in
the URL-encoded data (by typing in something like "%0d%0a"), which in
turn allows an attacker to set cookies that will be sent from the
server to the victim.

If the code looks like this (in Perl):

print "Location: $url\015\012\015\012";

and the attacker somehow manages to give $url the
value "http://slashdot.org/\015\012Set-Cookie: evil=natas", a cookie 
will be set before redirecting. If this is used in a system where
users can send in links that other users are redirected to, the
attackers can set arbitrary cookies that will be sent from the server
to the victim(s). Not very good.

Fix: remove all CR and LF characters from $url before redirecting:

$url =~ tr/\015\012//d;

// Ulf Härnhammar
metaur () prontomail com


______________________________________________________________
Get Your Free E-mail at http://www.prontomail.com