Ortwin Escher created DELTASPIKE-963:
----------------------------------------
Summary: Header injection due to unescaped key in JsfUtils
Key: DELTASPIKE-963
URL: https://issues.apache.org/jira/browse/DELTASPIKE-963
Project: DeltaSpike
Issue Type: Bug
Affects Versions: 1.4.1
Reporter: Ortwin Escher
The JsfUtils used in DeltaSpike URLEncode the values but not the keys. This
allows header injection (see
https://www.owasp.org/index.php/HTTP_Response_Splitting for more info on this
attack type). As an example if I open a page without window ID and thus have a
redirect by DefaultClientWindow.getOrCreateWindowId() in it:
/somepage.xhtml?%0aSet-Cookie:%20newcookie%3Dinjectme%0a
will cause the key side to be an unescaped part of the redirect URL and thus
cause the cookie to be set. the encodeValues parameter should also cause the
keys to be encoded as well.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
