This obvious security risk is mentioned in bugtraq today.
IMHO, this is users' fault. They must check values before
using it. In this specfic case, user should use simple regex
before feeding str to header().
Any opinion to meke this to "won't fix"?
--
Yasuo Ohgaki
[EMAIL PROTECTED] wrote:
> From: [EMAIL PROTECTED]
> Operating system: Win32
> PHP version: 4.2.3
> PHP Bug Type: Output Control
> Bug description: header() Control Char Injection
>
> I made a quite primitive use of the header() function in a redirect
> script:
>
> <?php
> if (isset($_GET["url"])) {
> header("Location: " . $_GET["url"]);
> }
> ?>
>
> But, no imagine for a second:
>
>
>url=http%3A%2F%2Fwww.yahoo.com%2F%0D%0A%0D%0A%3Cscript%3Ealert%28document.cookie%29%3B%3C%2FSCRIPT%3E%0D%0A%0D%0A
>
> Which causes:
>
> Location: http://www.yahoo.com/
>
> <script>alert(document.cookie)</script>
>
> Another interesting thing about this is that it (possibly) allows
> bypassing output buffering(?).
>
> If nothing else, this is a documentation problem, as the header() docs say
> that it will modify a single header, but it also allows body content to be
> manipulated.
--
PHP Development Mailing List <http://www.php.net/>
To unsubscribe, visit: http://www.php.net/unsub.php
