[jira] [Commented] (DELTASPIKE-963) Header injection due to unescaped key in JsfUtils

Ortwin Escher (JIRA) Thu, 23 Jul 2015 01:13:22 -0700

    [ 
https://issues.apache.org/jira/browse/DELTASPIKE-963?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14638440#comment-14638440
 ]


Ortwin Escher commented on DELTASPIKE-963:
------------------------------------------

The fix works, thank you!

> Header injection due to unescaped key in JsfUtils
> -------------------------------------------------
>
>                 Key: DELTASPIKE-963
>                 URL: https://issues.apache.org/jira/browse/DELTASPIKE-963
>             Project: DeltaSpike
>          Issue Type: Bug
>    Affects Versions: 1.4.1
>            Reporter: Ortwin Escher
>            Assignee: Thomas Andraschko
>             Fix For: 1.4.3
>
>
> The JsfUtils used in DeltaSpike URLEncode the values but not the keys. This 
> allows header injection (see 
> https://www.owasp.org/index.php/HTTP_Response_Splitting for more info on this 
> attack type). As an example if I open a page without window ID and thus have 
> a redirect by DefaultClientWindow.getOrCreateWindowId() in it:
> /somepage.xhtml?%0aSet-Cookie:%20newcookie%3Dinjectme%0a
> will cause the key side to be an unescaped part of the redirect URL and thus 
> cause the cookie to be set. the encodeValues parameter should also cause the 
> keys to be encoded as well.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (DELTASPIKE-963) Header injection due to unescaped key in JsfUtils

Reply via email to