-
Notifications
You must be signed in to change notification settings - Fork 97
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Security Issue - HTTP Response Splitting #114
Comments
Thanks for reporting this. To help us better assess the severity of this, can you also share the following information?
We don't intentionally unescape anything in the service parameter in any redirects which is why I'd like to better understand how/why you are seeing this issue. |
mod_auth_cas - 1.1 d80ac39 The issue came out of penetration testing. The real problem is that the login URL, including the service parameter, is copied to the location header. The service parameter can contain end-of-line markers (CRLF) that would allow a malicious user to insert other headers and content. The following example, while not malicious, demonstrates the result: RESPONSE: From https://tools.ietf.org/html/rfc2616#section-2.2:
It looks like the only CTLs that should be allowed are LWS. Even then they could be replaced by a single SP. Of course, this issue does not cause mod_auth_cas to fail, but a change would make it more secure. Thank you for maintaining mod_auth_cas. |
Some notes so I don't forget: Adding '\r' and '\n' to https://github.com/Jasig/mod_auth_cas/blob/master/src/mod_auth_cas.c#L826 could be a quick fix, but I'll need to test. I do wonder if using something like https://apr.apache.org/docs/apr/1.5/group___a_p_r___util___escaping.html#ga9caffb30731e3a07a8e23fa6464d35b5 would work better in general here. |
@cschofld thanks for providing the additional extra detail. So, I am not aware of any browser which will actually take action when the response code is a 302 but more than 1 Location header, which I think is what would really be necessary to achieve "bad things". If you know of one, please let us know. That said, I agree we should fix this. @dhawes my main hesitation with your proposal is about how that particular function is used, what contracts it commits anyone to, etc. Given that a service is("SHOULD"?) required to be a valid URL, I wonder if we can leverage that and e.g. apr_uri_unparse or similar constructs to make us consistently safe throughout. All that said, a simple pass over any decoded service parameter to ensure everything lies in the safe printable ASCII space is probably a suitable approach also, although I'm a little surprised that Apache wouldn't encode them as they were passed in... |
@dhawes OK I had some time to look at how we use that function, and the implementation as well. Looks like that interface was added to APR in 2013. The implementation also references the RFC1738 character set which is in the comment in mod_auth_cas.c, so it may not encode newlines (we would need to test, their existing unit tests don't answer that question). My suggestion would be to actually just replace this with something that URL encodes anything not in ASCII printable (so anything in [0x00-0x20), [0x7F, 0xFF] or "+ <>"%{}|^~[]`;/?:@=&#" as we currently do. |
@pames I did a quick test with apr_pescape_urlencoded() and it worked as expected (my CAS server was not too happy with it though). That said, I think your suggestion is probably more straightforward and simple. |
There is an HTTP response splitting vulnerability in the login redirection. When formatting the service parameter any control characters should be removed.
See https://www.owasp.org/index.php/HTTP_Response_Splitting
The text was updated successfully, but these errors were encountered: