Http header injection on redirect to login

[António Ramos]

Hello friends

I have a web2py production app being used in my company for some years.

We had it tested by a cybersecurity specialized company.

They reported an issue that represents a vulnerability.

This is the result report.

Description
During
the application audit process on the portal, it was possible to identify the possibility of injecting HTTP headers,
which allows an attacker to insert custom headers and create other attacks such as session theft, redirect manipulation and
social engineering attacks
Recommendation 
To
prevent HTTP header injection and its associated issues, it is essential to perform proper validation and sanization of all
user input that can be included in HTTP headers Additionally, it is important to keep your software and web frameworks up to
date, as known vulnerabilities related to HTTP header injection may be fixed in newer versions

See screenshot below

The request to a protected url returns a redirect to login.

They then repeated the same request but injecting simple script that was going to be executed on the victims pc.

Any comments on this issue ?

Regards

António

[Massimo DiPierro]

usually the responsibility of doing this is with the web server. I will double check but i am pretty sure rocket3 (the web2py/py4web) we server does header sanitization but will double check. in any case will address this in more detail asap. 

what setup was used for this test? 

--
You received this message because you are subscribed to the Google Groups "py4web" group.
To unsubscribe from this group and stop receiving emails from it, send an email to py4web+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/py4web/CAEM0BxNp%2BQGu6DQ6cMuSB10pEfwbcWTOsmKfNN%2BPrEwKbfbzMQ%40mail.gmail.com.

[Christian Varas]

Hello Antonio

Indeed it is a header injection, however the XSS in the header should not be interpreted and executed in the browser because it is not in the html document. However could be possible to use a “Location” header to create a redirection to another site.

It looks like is caused due: %0d and %0a characters (carriage return and new line)

A possible fix is to control args in controller.

You can check by:

- lenght of the arg, return if is too long

- check if there is an unwanted char, return if any

- try to cast to int if args is numeric, return if they fail

I like to do this filters before taking the argument a bit more of processing but secure at the end.

but the above fix will not work if this is happening before args are checked. 

I believe this need to be sanitized in web2py core and not in the app.

Greetings

Chris.

[Christian Varas]

Hello Massimo.

In a quick look It looks like is caused due: %0d and %0a characters in args (carriage return and new line). Maybe is a good idea to forbid those chars or taking them as string to avoid being interpreted.

Greetings 

Chris.

To view this discussion on the web visit https://groups.google.com/d/msgid/py4web/CAJYrZr%3D8VJto31bHRsQB8u2Cg_ouebCh62eh%2Bw77rq-mn_osuA%40mail.gmail.com.