Hello all,
When having a Wicket application installed on Tomcat and you call that
application through HTTP, Wicket is protected against HTTP Response
Splitting. However, when you call Tomcat through AJP (for example
through an apache httpd proxy), HTTP Response Splitting becomes possible.
To demonstrate, I created a simple application and called it through an
AJP proxy with the curl command:
curl --max-redirs 0 -Dfoo
'http:///myapp/home?wicket:bookmarkablePage=:org.apache.wicket.markup.html.pages.BrowserInfoPage&cto=Foobar%3f%0d%0aEvilHeader:%20SPLIT%2f-%0d%0aAnotherEvilHeader:%20HEADER'
Note the '%0d%0a', a CRLF in the request. When calling Wicket through
Tomcat, these are replaced by spaces, but when calling Wicket through
AJP, these are left intact, getting us the following response:
HTTP/1.1 302 Moved Temporarily
Date: Wed, 02 Nov 2011 14:34:32 GMT
Server: Apache
Set-Cookie: JSESSIONID=4F403B53D091B40F6C3FBC2321A2E348.pub-app04;
Path=/myapp; HttpOnly Location:
http://<ip-address>/myapp/Foobar;jsessionid=4F403B53D091B40F6C3FBC2321A2E348.pub-app04?
EvilHeader: SPLIT/-
AnotherEvilHeader: HEADER
Content-Length: 0
Connection: close
Content-Type: text/plain; charset=UTF-8
Here we have 2 Evil Headers, that could be inserted by hackers by adding
%0d%0a to the get-request.
Is there anything we can do about this? We use mod_jk 1.2.31 on our
httpd server.
Cheers!
Gert-Jan
--
*Gert-Jan Schouten
Java Developer*
