Project

General

Profile

Actions

Task #58850

closed

Redirect URLs containing special chars may lead to garbled headers

Added by Sven Carstens over 10 years ago. Updated over 9 years ago.

Status:
Closed
Priority:
Should have
Assignee:
-
Category:
-
Target version:
-
Start date:
2014-05-16
Due date:
% Done:

0%

Estimated time:
TYPO3 Version:
4.7
PHP Version:
Tags:
Complexity:
Sprint Focus:

Description

Redirect URLs passed to the felogin extension which contain %0d%0a%20 (CRLF SPACE) lead to garbled headers in the response as the URI is not properly url encoded before passing it to the PHP header function.

curl -i http://localhost/ --data 'logintype=login&pass=g00dPa%24%24w0rD&pid=0&redirect_url=%0d%0a%20SomeCustomInjectedHeader:injected&submit=Anmelden&tx_felogin_pi1%5bnoredir ect%5d=0&user=wwibephd'

---------------------------------------
HTTP/1.1 303 See Other
Date: Wed, 14 May 2014 14:06:25 GMT
Server: Apache/2.2.22 (Ubuntu)
X-Powered-By: PHP/5.3.10-1ubuntu3.11
Location: http://localhost/
SomeCustomInjectedHeader:injected
Vary: Accept-Encoding
Content-Length: 0
Content-Type: text/html
---------------------------------------

The CRLF SPACE combination will lead to a cintinuation header on the next line. During header parsing the browser will remove the CRLF WHITESPACE according to the specifications and won't redirect to the proper location.

The URL passed via the redirect_url parameter must be treated by rawurlescape() before being passed to the header function.
Quickes way to fix would be to change the t3lib_utility_Http around line 96.

- header('Location: ' . t3lib_div::locationHeaderUrl($url));
+ header('Location: ' . rawurlencode(t3lib_div::locationHeaderUrl($url)));


Related issues 1 (0 open1 closed)

Related to TYPO3 Core - Bug #58816: Response Splitting VulnerabilityClosed2014-05-15

Actions
Actions #1

Updated by Helmut Hummel over 10 years ago

  • Project changed from TYPO3 Core to 1716
Actions #2

Updated by Helmut Hummel over 10 years ago

  • Project changed from 1716 to TYPO3 Core

http://www.ietf.org/rfc/rfc2616.txt

Section 4.2 of RFC 2616:

"A header may be spread over more than one line if you start the continuation
lines with a whitespace."

So this is no injection possibility but spaning a single header value over multiple lines.

Actions #3

Updated by Helmut Hummel over 10 years ago

Sven Carstens wrote:

- header('Location: ' . t3lib_div::locationHeaderUrl($url));
+ header('Location: ' . rawurlencode(t3lib_div::locationHeaderUrl($url)));

Regarding this fix: this will not work, as it will encode the complete URL.

Instead redirect URL generation in felogin (including the urldecode there) needs to be fixed.

Actions #4

Updated by Markus Klein over 9 years ago

  • Status changed from New to Needs Feedback

Is this still an issue?

Actions #5

Updated by Alexander Opitz over 9 years ago

  • Status changed from Needs Feedback to Closed

No feedback within the last 90 days => closing this issue.

If you think that this is the wrong decision or experience this issue again, then please write to the mailing list typo3.teams.bugs with issue number and an explanation or open a new ticket and add a relation to this ticket number.

Actions

Also available in: Atom PDF