[ic] HTTP Response Splitting

Grant emailgrant at gmail.com
Sat May 11 20:41:56 UTC 2013

>> Am I safe from HTTP Response Splitting if I use [bounce]?
>> http://www.securiteam.com/securityreviews/5WP0E2KFGK.html
> Mostly.  The [bounce] tag removes \r and \n, and the URL-encoded versions of
> them, from URLs before it puts them into the header.  Two other tag
> attributes -- "target" and "status" do appear to make it into the header
> unscrubbed.  But as long as you don't let user input touch those (which
> would be an outrageously bad idea anyway, for other reasons), you're fine.

You mentioned that "target" is not scrubbed but I think you mean
"href"?  If so, is "page" the only bounce attribute that is scrubbed?

- Grant

More information about the interchange-users mailing list