Begin main content

Forum OpenACS Development: Re: Header Injection

Back to OpenACS Development

6: Re: Header Injection (response to 2)

Posted by Gustaf Neumann on 05/23/14 03:46 PM

yes it is/was possible to inject strings to the header this way (slight more complicated than your description above). Actually naviserver/aolserver should sanitize this string in ns_returnredirect, by they don't do this currently. This potential attack is fixed in the oacs-5-8 branch.

many thanks for reporting!
-g

7: Re: Header Injection (response to 6)

Posted by Gustaf Neumann on 05/23/14 03:58 PM

actually, my reply was not fully correct: NaviServer sanitizes all header fields since September 2013 (first i thought, i've missed this case, but it is covered as well).

https://bitbucket.org/naviserver/naviserver/commits/def03a4dc7568ca27ea5ee0111d51930d8d65801

however, the "double-fix" in OpenACS fixes the ad_returnredirect case for older versions of NaviServer and AolServer as well.

Back to OpenACS Development