WebApp Sec mailing list archives
Re: Is this exploitable?..
From: Tim <tim-security () sentinelchicken org>
Date: Mon, 20 Dec 2004 19:57:54 -0500
It looks like responseString obtained from req is forgeable and this may conceivably lead to a vulnerability down the line, it seems, when responseString is output with a call to out.print(responseString). Please advise.
I don't entirely follow the context of that code snippet, but could it be exploitable via HTTP Response Splitting? It seems headers are simply copied, but if there was any transparent decoding of the strings in the request object (and no re-encoding) before hand, then someone could inject arbitrary data, including whole requests. Example: GET /index.html%0d%0a%0d%0a%0d%0aHTTP/1.1%20200%20Found%0d%0a... HTTP/1.1 Host: www.example.com Then, if the URL is decoded in the request object, and simply tacked on to the response string, then there could be issues. But I have no idea if this is happening. It is pure speculation, to give you an idea of what to look for. See this paper for more details: http://www.sanctuminc.com/pdf/whitepaper_httpresponse.pdf good luck, tim
Current thread:
- Is this exploitable?.. Benjamin Livshits (Dec 16)
- Re: Is this exploitable?.. Peter Conrad (Dec 20)
- RE: Is this exploitable?.. Benjamin Livshits (Dec 20)
- Re: Is this exploitable?.. Peter Conrad (Dec 20)
- RE: Is this exploitable?.. Benjamin Livshits (Dec 20)
- Re: Is this exploitable?.. Stephen de Vries (Dec 20)
- Re: Is this exploitable?.. Tim (Dec 20)
- Re: Is this exploitable?.. Peter Conrad (Dec 20)