Home page logo

bugtraq logo Bugtraq mailing list archives

Trouble with cookies and redirect
From: "Ulf Harnhammar" <metaur () prontomail com>
Date: Sat, 17 Nov 2001 13:55:28 +0100

All this talk about cookies has got me thinking about another,
related problem. There is lots of HTTP redirecting code floating
around the net, and some of it decodes the incoming data from its URL-
encoded state. This makes it possible to include CR+LF characters in
the URL-encoded data (by typing in something like "%0d%0a"), which in
turn allows an attacker to set cookies that will be sent from the
server to the victim.

If the code looks like this (in Perl):

print "Location: $url\015\012\015\012";

and the attacker somehow manages to give $url the
value "http://slashdot.org/\015\012Set-Cookie: evil=natas", a cookie 
will be set before redirecting. If this is used in a system where
users can send in links that other users are redirected to, the
attackers can set arbitrary cookies that will be sent from the server
to the victim(s). Not very good.

Fix: remove all CR and LF characters from $url before redirecting:

$url =~ tr/\015\012//d;

// Ulf Härnhammar
metaur () prontomail com

Get Your Free E-mail at http://www.prontomail.com

  By Date           By Thread  

Current thread:
  • Trouble with cookies and redirect Ulf Harnhammar (Nov 19)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]