hi ortwin, thx - we will fix this issue asap and release a new version. it would be really great if you could check similar/related parts within the next ~two weeks. -> with v1.4.3 we could ship all those (related) fixes.
regards, gerhard 2015-07-21 10:05 GMT+02:00 Ortwin Escher <[email protected]>: > I've created DELTASPIKE-963. > > Regards > > Ortwin Escher > > Fachreferent, Fahrzeug IT, VC-M1 > > IAV GmbH > Rockwellstrasse 16 > 38518 GIFHORN > GERMANY > > Internet: http://www.iav.com > > Sitz/Registered Office: Berlin, > Registergericht/Registration Court: Amtsgericht Charlottenburg, > Registernummer/Company Registration Number: HRB 21 280, > Geschäftsführer/Managing Directors: Kurt Blumenröder, Michael Schubert, > Olaf Kupke > Vorsitzender des Aufsichtsrates/Chairman of the Supervisory Board: Dr. > Harald Ludanek > ----- Weitergeleitet von Ortwin Escher/V/IAV am 21.07.2015 09:59 ----- > > Ortwin Escher/V/IAV schrieb am 21.07.2015 09:13:21: > > > Von: Ortwin Escher/V/IAV > > An: [email protected], > > Datum: 21.07.2015 09:13 > > Betreff: Header injection due to unescaped key in JsfUtils > > > > Hello, > > > > As wished to the developers list: > > > > The JsfUtils used in DeltaSpike URLEncode the values but not the > > keys. This allows header injection (see https://www.owasp.org/ > > index.php/HTTP_Response_Splitting for more info on this attack > > type). As an example if I open a page without window ID and thus > > have a redirect by DefaultClientWindow.getOrCreateWindowId() in it: > > > > /somepage.xhtml?%0aSet-Cookie:%20newcookie%3Dinjectme%0a > > > > will cause the key side to be an unescaped part of the redirect URL > > and thus cause the cookie to be set. the encodeValues parameter > > should also cause the keys to be encoded as well. > > > > Regards > > > > Ortwin Escher > > > > Fachreferent, Fahrzeug IT, VC-M1 > > > > IAV GmbH > > Rockwellstrasse 16 > > 38518 GIFHORN > > GERMANY > > > Internet: http://www.iav.com > > > > Sitz/Registered Office: Berlin, > > Registergericht/Registration Court: Amtsgericht Charlottenburg, > > Registernummer/Company Registration Number: HRB 21 280, > > Geschäftsführer/Managing Directors: Kurt Blumenröder, Michael > > Schubert, Olaf Kupke > > Vorsitzender des Aufsichtsrates/Chairman of the Supervisory Board: > > Dr. Harald Ludanek >
