Re: Is this exploitable?..

[Tim <tim-security () sentinelchicken org>]

> It looks like responseString obtained from req is forgeable and this may
> conceivably lead to a vulnerability down the line, it seems, when
> responseString is output with a call to out.print(responseString).
>
> Please advise.


I don't entirely follow the context of that code snippet, but could it
be exploitable via HTTP Response Splitting?  It seems headers are
simply copied, but if there was any transparent decoding of the strings
in the request object (and no re-encoding) before hand, then someone
could inject arbitrary data, including whole requests.  Example:

GET /index.html%0d%0a%0d%0a%0d%0aHTTP/1.1%20200%20Found%0d%0a...  HTTP/1.1
Host: www.example.com


Then, if the URL is decoded in the request object, and simply tacked on
to the response string, then there could be issues.  But I have no idea
if this is happening.  It is pure speculation, to give you an idea of
what to look for.

See this paper for more details:
  http://www.sanctuminc.com/pdf/whitepaper_httpresponse.pdf

good luck,
tim