https://issues.apache.org/bugzilla/show_bug.cgi?id=50958
Summary: ISAPI HTTP Response Splitting Vulnerability
Product: Tomcat Connectors
Version: 1.2.31
Platform: PC
OS/Version: Windows XP
Status: NEW
Severity: normal
Priority: P2
Component: isapi
AssignedTo: dev@tomcat.apache.org
ReportedBy: vkhle...@gmail.com
Created an attachment (id=26793)
--> (https://issues.apache.org/bugzilla/attachment.cgi?id=26793)
Contains test WAR and ISAPI config files
The ISAPI plugin seems to be vulnerable to HTTP response splitting attacks.
The plugin code doesn't filter CRLFs from response header values before the
response is sent to the client. Tomcat replaces CRLFs with spaces when accessed
directly through an HTTP connector. I suggest the ISAPI plugin does the same.
The test application in the attachment demonstrates the attack. It contains a
simple JSP that sets a special header value that breaks the HTTP response
structure. To run the test app, extract the attached zip file, deploy the WAR
to Tomcat, and use the included config files for the ISAPI plugin. Once done,
browse to http://localhost/response-splitting
If the message "Please enter password" with a text box is displayed, the
exploit has worked. Compare that to the response you get by browsing to Tomcat
directly (i.e. a blank page).
The test app uses a hard-coded header value, but it's easy to imagine that the
value could come from an untrusted source, like a request parameter.
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
