Hello Antonio
Indeed it is a header injection, however the XSS in the header should not be interpreted and executed in the browser because it is not in the html document. However could be possible to use a “Location” header to create a redirection to another site.
It looks like is caused due: %0d and %0a characters (carriage return and new line)
A possible fix is to control args in controller.
You can check by:
- lenght of the arg, return if is too long
- check if there is an unwanted char, return if any
- try to cast to int if args is numeric, return if they fail
I like to do this filters before taking the argument a bit more of processing but secure at the end.
but the above fix will not work if this is happening before args are checked.
I believe this need to be sanitized in web2py core and not in the app.
Greetings
Chris.