Yasuo Ohgaki wrote:
> This obvious security risk is mentioned in bugtraq today.
>
> IMHO, this is users' fault. They must check values before
> using it. In this specfic case, user should use simple regex
> before feeding str to header().
>
> Any opinion to meke this to "won't fix"?
One thing we could do is force header parameter a single line.
Any idea it may broke applications?
--
Yasuo Ohgaki
>
> --
> Yasuo Ohgaki
>
> [EMAIL PROTECTED] wrote:
>
>> From: [EMAIL PROTECTED]
>> Operating system: Win32
>> PHP version: 4.2.3
>> PHP Bug Type: Output Control
>> Bug description: header() Control Char Injection
>>
>> I made a quite primitive use of the header() function in a redirect
>> script:
>>
>> <?php
>> if (isset($_GET["url"])) {
>> header("Location: " . $_GET["url"]);
>> }
>> ?>
>>
>> But, no imagine for a second:
>>
>>
>url=http%3A%2F%2Fwww.yahoo.com%2F%0D%0A%0D%0A%3Cscript%3Ealert%28document.cookie%29%3B%3C%2FSCRIPT%3E%0D%0A%0D%0A
>
>>
>>
>> Which causes:
>>
>> Location: http://www.yahoo.com/
>>
>> <script>alert(document.cookie)</script>
>>
>> Another interesting thing about this is that it (possibly) allows
>> bypassing output buffering(?).
>>
>> If nothing else, this is a documentation problem, as the header() docs
>> say
>> that it will modify a single header, but it also allows body content
>> to be
>> manipulated.
>
>
--
PHP Development Mailing List <http://www.php.net/>
To unsubscribe, visit: http://www.php.net/unsub.php
