W3C home > Mailing lists > Public > ietf-http-wg@w3.org > July to September 2009

Re: (issue 30) - concrete security-related examples

From: Henrik Nordstrom <henrik@henriknordstrom.net>
Date: Tue, 21 Jul 2009 21:43:45 +0200
To: Mark Nottingham <mnot@mnot.net>
Cc: Amit Klein <aksecurity@gmail.com>, HTTP Working Group <ietf-http-wg@w3.org>
Message-Id: <1248205425.23873.715.camel@localhost.localdomain>
tis 2009-07-21 klockan 11:37 +1000 skrev Mark Nottingham:

> Underscores are allowed in HTTP header field-names.

True, but the exploit is still very much valid. It's not an exploit on
HTTP as such but on a large family of specifications for running code on
HTTP servers (CGI, PHP, etc) as most those specs translate - to _ which
gets ambiguous when there is headers having _ in their name.

Which begs the question if this is sufficient grounds for banning the
use of headers using _ where there is standard track headers with the
same name using -

User-Agent is mentioned in the report, but I can imagine there is
interesting or at least disturbing tricks to be done using
Content-Length, Accept-* etc beyond the potential XSS issues the report
mentions, especially when there is caches involved and the resource in
question does some kind of content negotiation.

Regards
Henrik 
Received on Tuesday, 21 July 2009 19:47:41 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 27 April 2012 06:51:08 GMT