I've created DELTASPIKE-963. Regards
Ortwin Escher Fachreferent, Fahrzeug IT, VC-M1 IAV GmbH Rockwellstrasse 16 38518 GIFHORN GERMANY Internet: http://www.iav.com Sitz/Registered Office: Berlin, Registergericht/Registration Court: Amtsgericht Charlottenburg, Registernummer/Company Registration Number: HRB 21 280, Geschäftsführer/Managing Directors: Kurt Blumenröder, Michael Schubert, Olaf Kupke Vorsitzender des Aufsichtsrates/Chairman of the Supervisory Board: Dr. Harald Ludanek ----- Weitergeleitet von Ortwin Escher/V/IAV am 21.07.2015 09:59 ----- Ortwin Escher/V/IAV schrieb am 21.07.2015 09:13:21: > Von: Ortwin Escher/V/IAV > An: [email protected], > Datum: 21.07.2015 09:13 > Betreff: Header injection due to unescaped key in JsfUtils > > Hello, > > As wished to the developers list: > > The JsfUtils used in DeltaSpike URLEncode the values but not the > keys. This allows header injection (see https://www.owasp.org/ > index.php/HTTP_Response_Splitting for more info on this attack > type). As an example if I open a page without window ID and thus > have a redirect by DefaultClientWindow.getOrCreateWindowId() in it: > > /somepage.xhtml?%0aSet-Cookie:%20newcookie%3Dinjectme%0a > > will cause the key side to be an unescaped part of the redirect URL > and thus cause the cookie to be set. the encodeValues parameter > should also cause the keys to be encoded as well. > > Regards > > Ortwin Escher > > Fachreferent, Fahrzeug IT, VC-M1 > > IAV GmbH > Rockwellstrasse 16 > 38518 GIFHORN > GERMANY > Internet: http://www.iav.com > > Sitz/Registered Office: Berlin, > Registergericht/Registration Court: Amtsgericht Charlottenburg, > Registernummer/Company Registration Number: HRB 21 280, > Geschäftsführer/Managing Directors: Kurt Blumenröder, Michael > Schubert, Olaf Kupke > Vorsitzender des Aufsichtsrates/Chairman of the Supervisory Board: > Dr. Harald Ludanek
