HTTP Response splitting

narainhere has asked for the wisdom of the Perl Monks concerning the following question:

Replies are listed 'Best First'.
Re: HTTP Response splitting by pc88mxer (Vicar) on May 20, 2008 at 05:27 UTC
First you need to write a CGI script which is vulnerable to the attack. Here's one that should work: `use CGI qw(:standard); my $value = param('cookie'); print "Content-type: text/plain\n"; print "Set-Cookie: cookie=$value\n"; print "\n\n"; print "The cookie was set.\n";` [download] To figure out how to exploit it, just read up on the topic on Wikipedia. To protect against it you'll need to at least do this: Use CGI.pm's `cookie()` method to create the cookie header line Make sure that any parameters used in URLs are properly encoded, preferably by using a routine which will perform the encoding for you. With regards to this last item, does `CGI.pm` provide a URL encoding routine? I can't seem to find one (other than `url()` and `self_url()` which always uses the script's URL and not a general one.)	[reply] [d/l] [select]
Re: HTTP Response splitting by pc88mxer (Vicar) on May 20, 2008 at 16:20 UTC
It seems that perl's tainting facility could be put to use here. How about a PerlIO layer which prevents you from writing out tainted data? #!perl -T package PerlIO::via::TaintCheck; sub PUSHED { bless [], $_[0] } sub WRITE { my ($obj, $buf, $fh) = @_; if (is_tainted($buf)) { die "attempting to output tainted data" } print $fh $buf; length $buf; } sub is_tainted { # borrowed from PHOENIX/Taint-0.09 local(@_, $@, $^W) = @_; # Prevent errors, stringifying not eval { join("",@_), kill 0; 1 }; } package main; use CGI qw(:standard); binmode STDOUT, ':via(TaintCheck)'; ... # catch insecure use of param data: print "<p>Welcome, ", param('name'), ", to our web site.\n"; [download]	[reply] [d/l]

The world is so big for any individual to conquer