Possible HTTP Response Splitting Vulnerability

[liquidworm]

Hi,

Please review the published advisory, probably it's in the API WebOb which is not documented here: http://docs.webob.org/en/latest/api/exceptions.html

Probably there are other WebOb applications with similar issues.

Here is the advisory: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2015-5267.php

Thanks

[digitalresistor]

Okay, so some sample code to make this a little more clear:

def test_HTTPMove_location_newlines():
    def start_response(status, headers, exc_info=None):
        print(headers)
        pass
    environ = {
       'wsgi.url_scheme': 'HTTP',
       'SERVER_NAME': 'localhost',
       'SERVER_PORT': '80',
       'REQUEST_METHOD': 'HEAD',
       'PATH_INFO': '/',
    }
    m = webob_exc._HTTPMove(location='http://example.com\r\nX-Test: false')
    m( environ, start_response )

The data that is printed is:

[
    ('Content-Type', 'text/html; charset=UTF-8'),
    ('Content-Length', '0'),
    ('Location', 'http://example.com\r\nX-Test: false')
]

This is passed off to start_response(), which is generally provided by a WSGI compatible server. I don't believe it's WebOb's responsibility to sanitize header information being sent to the WSGI server.

[GrahamDumpleton]

FWIW. Apache/mod_wsgi should raise a ValueError exception out of start_response() if given a header value with embedded \r or \n.

Many other WSGI servers, if not perhaps all of them, don't bother with such validation.