Uploaded image for project: 'XWiki Platform'
  1. XWiki Platform
  2. XWIKI-5155

HTTP header injection via xredirect

    XMLWordPrintable

Details

    • Bug
    • Resolution: Fixed
    • Minor
    • 6.0, 6.1-milestone-1, 5.4.5
    • 2.2.3, 2.3, 2.4 M1
    • Model
    • None
    • Tomcat 6.0.26
    • security, header injection
    • Unknown
    • N/A
    • N/A

    Description

      Reported by the dutch security audit.

      It is possible to inject HTTP headers using the xredirect parameter. This can be used to inject cookies using Set-Cookie: header, and possibly inject malicious data into server logs.

      http://localhost:8080/xwiki/bin/login/XWiki/XWikiLogin?xredirect=test%0d%0aX-Header:

      This vulnerability does not seem to work on latest version of Jetty, and was fixed in at least Tomcat 5.5 in 2008 (see tomcat mailinglist: http://mail-archives.apache.org/mod_mbox/tomcat-dev/200803.mbox/%3C47E96A99.40808@hanik.com%3E). However, it might still be a good idea to remove newlines from xredirect and escape it in case some vulnerable container is used.

      Attachments

        Activity

          People

            sdumitriu Sergiu Dumitriu
            nickless Alex Busenius
            Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: