Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with
or
.
Download ZIP

Loading…

Cookie name CRLF injection #859

Closed
vlet opened this Issue · 12 comments

7 participants

@vlet

Today was announced new CGI.pm 3.63 were was fixed issue (marked as
security issue in Changes) with CRLF injection in cookies:
markstos/CGI.pm#23

As I can see Dancer::Cookie also do not validate cookie name for
CRLF and other invalid symbols in headers. This may be a security issue if
cookie name taken from untrusted source.

$ perl -MDancer -e 'get "/" => sub { cookie "test\n\rX-Evil-Header: " => "evil" };dance' &

$ echo "GET / HTTP/1.0\r\n\r\n" | netcat 127.0.0.1 3000

HTTP/1.0 200 OK
Server: Perl Dancer 1.311
Content-Length: 4
Content-Type: text/html
Set-Cookie: test
X-Evil-Header: =evil; path=/; HttpOnly
X-Powered-By: Perl Dancer 1.311

evil

@vlet

Continue

Dancer::Cookie also do not validate values of options of cookie() "path", "expires" and "domain" for invalid characters.
Moreover if value of cookie is utf8 string cookie() will crash ( uri_escape() die if symbol code > 255)

header(), headers() and push_header() functions have same problem with invalid characters in name and value.
Header value validated for CRLF in Dancer::Response. headers_to_array() adds space after first CRLF (multiline header body allowed with TAB or SPACE in the beginig of each line). But if there are two or more CRLF in a header body than you have a problem...

As side effect was noticed, that utf8 string in header value can crash web-server HTTP::Server::PSGI

@ppisar

Actually the first new line gets escaped. But you cannot see it on terminal because the two spaces are followed by \r from input value.

@bigpresh
Owner

Hmm, yes, this stuff needs fixing.

I see most of it as reasonably low-impact, as it's fairly unlikely that the value comes from user input for most of them; header values and cookie values are more of a concern, though.

If I get a moment today I'll try to implement fixes for these problems (unless someone else gets there first :) )

@bigpresh bigpresh closed this
@bigpresh bigpresh reopened this
@bigpresh
Owner

(Whoops, closed this one by accident, thought I was looking at a different issue. That'll teach me to pay attention and slow down until my caffeination level has increased.)

@ppisar

This flaw has been assigned CVE-2012-5572 identifier (http://www.openwall.com/lists/oss-security/2012/11/26/10).

@xsawyerx
Owner

This blocks the next release.

@bigpresh
Owner
@carnil

Hi

Are there news on this issue?

Thanks for your work!

@onuraslan

did you abandon this issue?

@yanick
Owner

No, it is still in the queue. We'll get to it eventually, I swear. :-)

@yanick yanick closed this in d21a098
@ppisar

Just released version 1.3114 is missing test t/12_response/11_CVE-2012-5572.t added in commit:

commit d21a0983fa95ffea2b50ad5af84cc93f4ce5f4d2
Author: Colin Keith <colinmkeith@gmail.com>
Date:   Sat May 25 00:46:53 2013 -0400

    test and resolution for CVE-2012-5572, \r\n sequence being allowed in a cookie name fixes PerlDancer/Dancer#859
@yanick yanick referenced this issue from a commit
@yanick yanick didn't add new test to MANIFEST
Fixes #859
a757cbb
@yanick
Owner

Ooops, forgot to update the MANIFEST. Did that now, test is going to pop up in next release.

Thanks!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Something went wrong with that request. Please try again.