All this talk about cookies has got me thinking about another, related problem. There is lots of HTTP redirecting code floating around the net, and some of it decodes the incoming data from its URL- encoded state. This makes it possible to include CR+LF characters in the URL-encoded data (by typing in something like "%0d%0a"), which in turn allows an attacker to set cookies that will be sent from the server to the victim. If the code looks like this (in Perl): print "Location: $url\015\012\015\012"; and the attacker somehow manages to give $url the value "http://slashdot.org/\015\012Set-Cookie: evil=natas", a cookie will be set before redirecting. If this is used in a system where users can send in links that other users are redirected to, the attackers can set arbitrary cookies that will be sent from the server to the victim(s). Not very good. Fix: remove all CR and LF characters from $url before redirecting: $url =~ tr/\015\012//d; // Ulf Härnhammar metaurat_private ______________________________________________________________ Get Your Free E-mail at http://www.prontomail.com
This archive was generated by hypermail 2b30 : Mon Nov 19 2001 - 12:17:18 PST