Security bug in XmlHttpRequest, setRequestHeader() from Hill, Brad on 2012-01-05 (public-webapps@w3.org from January to March 2012)

From: Hill, Brad <bhill@paypal-inc.com>
Date: Thu, 5 Jan 2012 16:26:25 -0700
To: "WebApps WG (public-webapps@w3.org)" <public-webapps@w3.org>
Message-ID: <213E0EC97FE58F469BB618245B3118BB555974461B@DEN-MEXMS-001.corp.ebay.com>

Kusuke Ebihara (Ikousuke at co3k.org ) has discovered an interesting security bug with XHR.

http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/2012-January/008170.html 

Basically, for CGI programs, characters that are valid in HTTP headers but not in Unix shell environment variables are commonly all coerced to "_".  This allows bypass of the security restrictions in http://www.w3.org/TR/XMLHttpRequest/#the-setrequestheader-method, section 5.  If an application sets, e.g. a header of "User_Agent" (or in some cases "User.Agent", "User*Agent", etc...), that is indistinguishable when delivered to a CGI application from the forbidden "User-Agent". 

As this behavior is at least partially formally documented in  http://tools.ietf.org/html/rfc3875#section-4.1.18 , and very widely implemented, the algorithm for XHR should be updated to at least consider "_", and possibly all non-alphanumeric characters, as equivalent to "-" for purposes of comparison to the blacklisted header set.

Brad Hill
Sr. MTS, Internet Standards and Governance
PayPal Information Risk Management
cell: 206.245.7844 / skype: hillbrad
email: bhill@paypal-inc.com

Received on Thursday, 5 January 2012 23:26:56 UTC