Uploaded image for project: 'DeltaSpike'
  1. DeltaSpike
  2. DELTASPIKE-963

Header injection due to unescaped key in JsfUtils

    XMLWordPrintableJSON

Details

    • Bug
    • Status: Closed
    • Major
    • Resolution: Fixed
    • 1.4.1
    • 1.5.0
    • None
    • None

    Description

      The JsfUtils used in DeltaSpike URLEncode the values but not the keys. This allows header injection (see https://www.owasp.org/index.php/HTTP_Response_Splitting for more info on this attack type). As an example if I open a page without window ID and thus have a redirect by DefaultClientWindow.getOrCreateWindowId() in it:

      /somepage.xhtml?%0aSet-Cookie:%20newcookie%3Dinjectme%0a

      will cause the key side to be an unescaped part of the redirect URL and thus cause the cookie to be set. the encodeValues parameter should also cause the keys to be encoded as well.

      Attachments

        Activity

          People

            tandraschko Thomas Andraschko
            oescher Ortwin Escher
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: