First you need to write a CGI script which is vulnerable to the attack. Here's one that should work:
use CGI qw(:standard);
my $value = param('cookie');
print "Content-type: text/plain\n";
print "Set-Cookie: cookie=$value\n";
print "\n\n";
print "The cookie was set.\n";
To figure out how to exploit it, just read up on
the topic on Wikipedia.
To protect against it you'll need to at least do this:
- Use CGI.pm's cookie() method to create the cookie header line
- Make sure that any parameters used in URLs are properly encoded, preferably by using a routine which will perform the encoding for you.
With regards to this last item, does
CGI.pm provide a URL encoding routine? I can't seem to find one (other than
url() and
self_url() which always uses the script's URL and not a general one.)