[ic] HTTP Response Splitting

d davenport dances_with_peons at live.com
Mon May 13 02:27:54 UTC 2013

>-----Original Message----- 
>From: Grant
>Sent: Saturday, May 11, 2013 4:41 PM
>To: interchange-users
>Subject: Re: [ic] HTTP Response Splitting
>>> Am I safe from HTTP Response Splitting if I use [bounce]?
>>> http://www.securiteam.com/securityreviews/5WP0E2KFGK.html
>> Mostly.  The [bounce] tag removes \r and \n, and the URL-encoded versions 
>> of
>> them, from URLs before it puts them into the header.  Two other tag
>> attributes -- "target" and "status" do appear to make it into the header
>> unscrubbed.  But as long as you don't let user input touch those (which
>> would be an outrageously bad idea anyway, for other reasons), you're 
>> fine.
>You mentioned that "target" is not scrubbed but I think you mean
>"href"?  If so, is "page" the only bounce attribute that is scrubbed?

I meant "target".  Not sure where the attribute comes in, but it certainly 
looks like a tag param, and determines the value of a 'Window-Target' 
'href' is explicitly scrubbed, and 'page=XXXX' is just treated as 
'href="[area XXXX]"' if there's not already an href.  (That translation 
happens before the scrubbing, so 'page' is effectively scrubbed too.)



More information about the interchange-users mailing list