Hi,

please create a issue.

2015-07-21 9:13 GMT+02:00 Ortwin Escher <[email protected]>:

> Hello,
>
> As wished to the developers list:
>
> The JsfUtils used in DeltaSpike URLEncode the values but not the keys.
> This allows header injection (see
> https://www.owasp.org/index.php/HTTP_Response_Splitting for more info on
> this attack type). As an example if I open a page without window ID and
> thus have a redirect by DefaultClientWindow.getOrCreateWindowId() in it:
>
> /somepage.xhtml?%0aSet-Cookie:%20newcookie%3Dinjectme%0a
>
> will cause the key side to be an unescaped part of the redirect URL and
> thus cause the cookie to be set. the encodeValues parameter should also
> cause the keys to be encoded as well.
>
> Regards
>
> Ortwin Escher
>
> Fachreferent, Fahrzeug IT, VC-M1
>
> IAV GmbH
> Rockwellstrasse 16
> 38518 GIFHORN
> GERMANY
>
> Internet: http://www.iav.com
>
> Sitz/Registered Office: Berlin,
> Registergericht/Registration Court: Amtsgericht Charlottenburg,
> Registernummer/Company Registration Number: HRB 21 280,
> Geschäftsführer/Managing Directors: Kurt Blumenröder, Michael Schubert,
> Olaf Kupke
> Vorsitzender des Aufsichtsrates/Chairman of the Supervisory Board: Dr.
> Harald Ludanek

Reply via email to