HTTP response splitting and mail headers splitting attacks

There are two similar security issues both taken care of by Suhosin patch and strict escaping/encoding rules. They both relate to injecting new lines into headers of network protocols. They are not very well known and i think its worth mentioning it.

HTTP response splitting is a web based attack where hacker manages to trick the server into injecting new lines into response headers along with arbitrary code. If you use GET/POST parameters in the headers like cookie or location, then someone could provide new lines with XSS attack.

Common example would be server redirecting to new location based on some variable (like url). To do it safely you should always encode/escape/cast strings before passing them into header PHP function.

Lets see following example:

    header("X-Powered-By: \r\r\r <script>alert(1);<script>");

This ran on php 5.2 and firefox will result in javascript execution! Nice isn't it?

So if you have a script that redirects to arbitrary url's (i have seen it tons of times in applications big and small). Then you should be careful how do you do this redirect. If script reads:

    header("X-Powered-By: ".$_GET['url']);

Then you can inject new lines into the header and basically generate any content you want.

    http://localhost/httpsplit.php?url=%0D%0D%0D%20%3Cscript%3Ealert%281%29;%3C/script%3E

There seems to be some check in PHP 5.2 for multiple headers set in header() but it fails if you start right away with %0D... The example above worked for me, the one below would not work though:

    http://localhost/httpsplit.php?url=something%0D%0D%0D%20%3Cscript%3Ealert%281%29;%3C/script%3E

As you can see that is really bad! many sites that perform redirect like this are exposed to HTTP response splitting attack.

It is especially dangerous if you application does that on login, all you need is put your hack into the login url and make someone click on it. If they are logged in you can run any XSS attack on them if not they will be presented with login page and after login 'redirected' with your script.

Email header injection

Similar idea works for mail function. In PHP you can set whatever headers you want so if you are not careful and use subject from request or something attacker can inject new lines and other headers for example to send email to 10000 arbitrary victims.

How to prevent HTTP response splitting attacks

To prevent these types of attacks you just have to make sure you don't allow any special characters in cookies nor any other headers. It applies to SMTP and maybe even other protocols. Escape, escape, escape. Optionally install Suhosin php patch which will prevent both of these attacks. Its not very common in shared hosting and probably not so common in private setups either as used to cause issues.

Stay safe out there!

Comments

Post new comment

Image CAPTCHA

About the author

Artur Ejsmont

Hi, my name is Artur Ejsmont,
welcome to my blog.

I am a passionate software engineer living in Sydney and working for Yahoo! Drop me a line or leave a comment.

Follow my RSS