perl-CGI Newline injection in Set-Cookie and P3P headers

2012.11.17
Credit: anazawa
Risk: Low
Local: No
Remote: Yes
CVE: CVE-2012-5526
CWE: N/A


CVSS Base Score: 5/10
Impact Subscore: 2.9/10
Exploitability Subscore: 10/10
Exploit range: Remote
Attack complexity: Low
Authentication: No required
Confidentiality impact: None
Integrity impact: Partial
Availability impact: None

header() can generate Set-Cookie and P3P headers which contain invalid newlines. use CGI qw/header/; print header( -cookie => [ "foo\nbar\nbaz", ], -p3p => [ "foo\nbar\nbaz", ], ); # [STDOUT] # P3P: policyref="/w3c/p3p.xml", CP="foo # bar # baz" # Set-Cookie: foo # bar # baz # Date: Sat, 10 Nov 2012 03:19:23 GMT # Content-Type: text/html; charset=ISO-8859-1 # In this case, values of these headers are array references and so the following substitution doesn't work: $header =~ s/$CRLF(\s)/$1/g; (https://github.com/markstos/CGI.pm/blob/master/lib/CGI.pm#L1506) where $header is an array reference. Those values should be stringified before CR escaping is done. PS: My previous request "Investigated how CGI::header() process undef" is closed temporarily because the priority of this request is higher than the previous one. Sorry for the incovenience. I'll reopen the previous one after this issue is closed.

References:

https://bugzilla.redhat.com/show_bug.cgi?id=877015
https://github.com/markstos/CGI.pm/pull/23
https://github.com/markstos/CGI.pm/blob/master/lib/CGI.pm#L1506


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top