On 2004.07.16, Jade Rubick <[EMAIL PROTECTED]> wrote: > There is a security issue in Aolserver, which is described here: > > http://openacs.org/bugtracker/openacs/bug?bug_number=2011 > > Untrusted users can craft pages that subsequent users will receive when > they browse the site. > > This should be a one-line bug-fix, I imagine.
This was discussed in the online chat, and my feelings are that there are many, many places where AOLserver allows the developer to touch the outgoing HTTP response headers. It is the developer's responsibility to sanitize any user-supplied input (or, potentially user-supplied input in the case of the URL, or POST request body, etc.) to ensure that it's valid. In the case of request-supplied data that will be placed in an HTTP response header, the developer should use code that checks for embedded newlines in the data, to prevent these HTTP response splitting attacks. To change things like ns_returnredirect to only send up to the first newline might be a "fix", but then you'd also have to guard uses of "ns_set [ns_conn outputheaders] $key $value" where $value contains a string with embedded newlines: how do you propose to "fix" that? Lets discuss this issue, but my gut reaction is that the proper fix to this issue is defensive programming by the application developer. It is likely not possible to completely enforce in the server alone. -- Dossy -- Dossy Shiobara mail: [EMAIL PROTECTED] Panoptic Computer Network web: http://www.panoptic.com/ "He realized the fastest way to change is to laugh at your own folly -- then you can let go and quickly move on." (p. 70) -- AOLserver - http://www.aolserver.com/ To Remove yourself from this list, simply send an email to <[EMAIL PROTECTED]> with the body of "SIGNOFF AOLSERVER" in the email message. You can leave the Subject: field of your email blank.
