W3C home > Mailing lists > Public > public-webapps@w3.org > January to March 2012

Security bug in XmlHttpRequest, setRequestHeader()

From: Hill, Brad <bhill@paypal-inc.com>
Date: Thu, 5 Jan 2012 16:26:25 -0700
To: "WebApps WG (public-webapps@w3.org)" <public-webapps@w3.org>
Message-ID: <213E0EC97FE58F469BB618245B3118BB555974461B@DEN-MEXMS-001.corp.ebay.com>
Kusuke Ebihara (Ikousuke at co3k.org ) has discovered an interesting security bug with XHR.


Basically, for CGI programs, characters that are valid in HTTP headers but not in Unix shell environment variables are commonly all coerced to "_".  This allows bypass of the security restrictions in http://www.w3.org/TR/XMLHttpRequest/#the-setrequestheader-method, section 5.  If an application sets, e.g. a header of "User_Agent" (or in some cases "User.Agent", "User*Agent", etc...), that is indistinguishable when delivered to a CGI application from the forbidden "User-Agent". 

As this behavior is at least partially formally documented in  http://tools.ietf.org/html/rfc3875#section-4.1.18 , and very widely implemented, the algorithm for XHR should be updated to at least consider "_", and possibly all non-alphanumeric characters, as equivalent to "-" for purposes of comparison to the blacklisted header set.

Brad Hill
Sr. MTS, Internet Standards and Governance
PayPal Information Risk Management
cell: 206.245.7844 / skype: hillbrad
email: bhill@paypal-inc.com
Received on Thursday, 5 January 2012 23:26:56 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 20 October 2015 13:55:47 UTC