perl-CGI Newline injection in Set-Cookie and P3P headers

2012.11.17
Credit: anazawa
Risk: Low
Local: No
Remote: Yes
CVE: CVE-2012-5526
CWE: N/A


Ogólna skala CVSS: 5/10
Znaczenie: 2.9/10
Łatwość wykorzystania: 10/10
Wymagany dostęp: Zdalny
Złożoność ataku: Niska
Autoryzacja: Nie wymagana
Wpływ na poufność: Brak
Wpływ na integralność: Częściowy
Wpływ na dostępność: Brak

header() can generate Set-Cookie and P3P headers which contain invalid newlines. use CGI qw/header/; print header( -cookie => [ "foo\nbar\nbaz", ], -p3p => [ "foo\nbar\nbaz", ], ); # [STDOUT] # P3P: policyref="/w3c/p3p.xml", CP="foo # bar # baz" # Set-Cookie: foo # bar # baz # Date: Sat, 10 Nov 2012 03:19:23 GMT # Content-Type: text/html; charset=ISO-8859-1 # In this case, values of these headers are array references and so the following substitution doesn't work: $header =~ s/$CRLF(\s)/$1/g; (https://github.com/markstos/CGI.pm/blob/master/lib/CGI.pm#L1506) where $header is an array reference. Those values should be stringified before CR escaping is done. PS: My previous request "Investigated how CGI::header() process undef" is closed temporarily because the priority of this request is higher than the previous one. Sorry for the incovenience. I'll reopen the previous one after this issue is closed.

Referencje:

https://bugzilla.redhat.com/show_bug.cgi?id=877015
https://github.com/markstos/CGI.pm/pull/23
https://github.com/markstos/CGI.pm/blob/master/lib/CGI.pm#L1506


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top