Yes, bad change
Stephen Deasey wrote:
> On Fri, Nov 7, 2008 at 3:12 AM, Vlad Seryakov
> <[EMAIL PROTECTED]> wrote:
>
>> + # If address set to 0.0.0.0 in nssock to listen on
>> + # all interfaces we may try to use Host: header to
>> + # return proper urls
>> + #
>> +
>> + if { $loc == "http://0.0.0.0"; } {
>> + set host [ns_set iget [ns_conn headers] Host]
>> + if { $host != "" } {
>> + set loc http://$host
>> + }
>> + }
>
>
> You can't take unfiltered input from the host header and then feed it
> back to ns_returnredirect as this vulnerable to a response splitting
> attack.
>
> http://www.google.co.uk/search?q=response+splitting
>
> It seems like this may be a more general kind of bug. After all, it's
> not just in directory listings that 0.0.0.0 is an invalid host
> address. Take a look at conn.c:Ns_ConnLocationAppend() -- looks like
> this is where the fix needs to go.
>
> This is a tricky are so add some extra tests in tests/ns_conn_host.test
>
> -
> This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
> Build the coolest Linux based applications with Moblin SDK & win great prizes
> Grand prize is a trip for two to an Open Source event anywhere in the world
> http://moblin-contest.org/redirect.php?banner_id=100&url=/
> ___
> naviserver-devel mailing list
> naviserver-devel@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/naviserver-devel
>
-
This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
Build the coolest Linux based applications with Moblin SDK & win great prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/
___
naviserver-devel mailing list
naviserver-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/naviserver-devel
