Is the attached patch needed to avoid HTML injection attacks on the
sqwebmail CGI? The sqwebmail CGI writes HTTP Refresh headers in two
places, but outputs the URL without encoding it. Since HTTP headers
are written before the rest of the page is rendered, it seems you
could, e.g. invoke the sqwebmail CGI with:
http://my.domain.com/cgi-bin/sqwebmail?redirect=%0d%0a[...]
The response from the sqwebmail CGI to the browser would look like:
Refresh: 0; URL=
[...]
[either printredirect.html or redirect.html]
If [...] is any valid HTML, then it would be directly rendered by the
browser before the real part of the response, right?
Cheers,
-- Johnny Lam <[EMAIL PROTECTED]>
$NetBSD$
--- webmail/sqwebmail.c.orig 2005-11-19 16:58:38.000000000 -0500
+++ webmail/sqwebmail.c
@@ -1752,7 +1752,7 @@ char *p;
strcat(strcat(strcpy(buf, nl), "/printmsg/print?"), qs);
cginocache();
cgi_setcookie("sqwebmail-pi", pi);
- printf("Refresh: 0; URL=%s\n", buf);
+ printf("Refresh: 0; URL=%s\n", output_attrencoded(buf));
free(buf);
output_form("printredirect.html");
return;
@@ -2089,7 +2089,7 @@ static void redirect(const char *url)
{
if (valid_redirect())
{
- printf("Refresh: 0; URL=%s\n", url);
+ printf("Refresh: 0; URL=%s\n", output_attrencoded(url));
output_form("redirect.html");
return;
}
