Kusuke Ebihara (Ikousuke at co3k.org ) has discovered an interesting security bug with XHR.
http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/2012-January/008170.html Basically, for CGI programs, characters that are valid in HTTP headers but not in Unix shell environment variables are commonly all coerced to "_". This allows bypass of the security restrictions in http://www.w3.org/TR/XMLHttpRequest/#the-setrequestheader-method, section 5. If an application sets, e.g. a header of "User_Agent" (or in some cases "User.Agent", "User*Agent", etc...), that is indistinguishable when delivered to a CGI application from the forbidden "User-Agent". As this behavior is at least partially formally documented in http://tools.ietf.org/html/rfc3875#section-4.1.18 , and very widely implemented, the algorithm for XHR should be updated to at least consider "_", and possibly all non-alphanumeric characters, as equivalent to "-" for purposes of comparison to the blacklisted header set. Brad Hill Sr. MTS, Internet Standards and Governance PayPal Information Risk Management cell: 206.245.7844 / skype: hillbrad email: bh...@paypal-inc.com
