Hi, Can you describe what exactly is the problem with these custom headers ?
On Thu, Nov 3, 2011 at 2:04 PM, Gert-Jan Schouten <[email protected]> wrote: > Hello all, > > When having a Wicket application installed on Tomcat and you call that > application through HTTP, Wicket is protected against HTTP Response > Splitting. However, when you call Tomcat through AJP (for example through an > apache httpd proxy), HTTP Response Splitting becomes possible. > > To demonstrate, I created a simple application and called it through an AJP > proxy with the curl command: > > curl --max-redirs 0 -Dfoo > 'http:///myapp/home?wicket:bookmarkablePage=:org.apache.wicket.markup.html.pages.BrowserInfoPage&cto=Foobar%3f%0d%0aEvilHeader:%20SPLIT%2f-%0d%0aAnotherEvilHeader:%20HEADER' > > Note the '%0d%0a', a CRLF in the request. When calling Wicket through > Tomcat, these are replaced by spaces, but when calling Wicket through AJP, > these are left intact, getting us the following response: > > HTTP/1.1 302 Moved Temporarily > Date: Wed, 02 Nov 2011 14:34:32 GMT > Server: Apache > Set-Cookie: JSESSIONID=4F403B53D091B40F6C3FBC2321A2E348.pub-app04; > Path=/myapp; HttpOnly Location: > http://<ip-address>/myapp/Foobar;jsessionid=4F403B53D091B40F6C3FBC2321A2E348.pub-app04? > EvilHeader: SPLIT/- > AnotherEvilHeader: HEADER > Content-Length: 0 > Connection: close > Content-Type: text/plain; charset=UTF-8 > > Here we have 2 Evil Headers, that could be inserted by hackers by adding > %0d%0a to the get-request. > > Is there anything we can do about this? We use mod_jk 1.2.31 on our httpd > server. > > Cheers! > > Gert-Jan > > > > -- > > *Gert-Jan Schouten > Java Developer* > > -- Martin Grigorov jWeekend Training, Consulting, Development http://jWeekend.com --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
