- From: Henrik Nordstrom <henrik@henriknordstrom.net>
- Date: Tue, 21 Jul 2009 21:43:45 +0200
- To: Mark Nottingham <mnot@mnot.net>
- Cc: Amit Klein <aksecurity@gmail.com>, HTTP Working Group <ietf-http-wg@w3.org>
tis 2009-07-21 klockan 11:37 +1000 skrev Mark Nottingham: > Underscores are allowed in HTTP header field-names. True, but the exploit is still very much valid. It's not an exploit on HTTP as such but on a large family of specifications for running code on HTTP servers (CGI, PHP, etc) as most those specs translate - to _ which gets ambiguous when there is headers having _ in their name. Which begs the question if this is sufficient grounds for banning the use of headers using _ where there is standard track headers with the same name using - User-Agent is mentioned in the report, but I can imagine there is interesting or at least disturbing tricks to be done using Content-Length, Accept-* etc beyond the potential XSS issues the report mentions, especially when there is caches involved and the resource in question does some kind of content negotiation. Regards Henrik
Received on Tuesday, 21 July 2009 19:47:41 UTC