CRLF injection vulnerability in diff API

Issue #320 resolved
Mika Myllynen
created an issue

Short summary: Attackers are able to manipulate logged in victims' cookies, which may cause problems up to gaining access to user session. To utilize this vulnerability the attacker must cause the victim to go to a specifically crafted URL.

The revision parameter of the diff API has a CRLF injection vulnerability where CRLF characters in the parameter are executed by the application as a newline which causes subsequent text being interpreted as a part of the HTTP request headers. This allows insertion of any HTTP headers, including a session cookie an attacker has selected.

Steps to reproduce:

  1. Login into SCM webapp
  2. In the browser, view the cookies the SCM webapp domain has set and note that there is no cookie called Tamper (one the next step will create)
  3. Paste the following URL to your browser: <scm-webapp-domain:port>/scm-webapp/api/rest/repositories/fc5ed767-acdd-4f4f-9a91-700de2a800ba/diff?revision=any%0D%0ASet-cookie:%20Tamper=3079675143472450634&_dc=1358930006076
  4. View the cookies again and note that cookie named Tamper now exists.

Comments (8)

  1. Mika Myllynen reporter

    Confirming this fixes the issue, instead of setting the cookie an error

    java.lang.IllegalArgumentException: parameter contains an illegal character

    is shown instead.

  2. Log in to comment