Re: (issue 30) - concrete security-related examples

tis 2009-07-21 klockan 11:37 +1000 skrev Mark Nottingham:

> Underscores are allowed in HTTP header field-names.

True, but the exploit is still very much valid. It's not an exploit on
HTTP as such but on a large family of specifications for running code on
HTTP servers (CGI, PHP, etc) as most those specs translate - to _ which
gets ambiguous when there is headers having _ in their name.

Which begs the question if this is sufficient grounds for banning the
use of headers using _ where there is standard track headers with the
same name using -

User-Agent is mentioned in the report, but I can imagine there is
interesting or at least disturbing tricks to be done using
Content-Length, Accept-* etc beyond the potential XSS issues the report
mentions, especially when there is caches involved and the resource in
question does some kind of content negotiation.


Received on Tuesday, 21 July 2009 19:47:41 UTC