[ic] HTTP Response Splitting
Grant
emailgrant at gmail.com
Sat May 11 20:41:56 UTC 2013
>> Am I safe from HTTP Response Splitting if I use [bounce]?
>>
>> http://www.securiteam.com/securityreviews/5WP0E2KFGK.html
>
> Mostly. The [bounce] tag removes \r and \n, and the URL-encoded versions of
> them, from URLs before it puts them into the header. Two other tag
> attributes -- "target" and "status" do appear to make it into the header
> unscrubbed. But as long as you don't let user input touch those (which
> would be an outrageously bad idea anyway, for other reasons), you're fine.
You mentioned that "target" is not scrubbed but I think you mean
"href"? If so, is "page" the only bounce attribute that is scrubbed?
- Grant
More information about the interchange-users
mailing list