Vigil@nce: HTTP, incoherent handling of parameters
May 2009 by Vigil@nce
The HTTP protocol does not define the behavior of web servers when
a request contains the same variable several times, which can
generate vulnerabilities.
Severity: 1/4
Consequences: data reading, data creation/edition, data flow
Provenance: internet client
Means of attack: no proof of concept, no attack
Ability of attacker: expert (4/4)
Confidence: unique source (2/5)
Diffusion of the vulnerable configuration: high (3/3)
Creation date: 20/05/2009
IMPACTED PRODUCTS
– HTTP
DESCRIPTION OF THE VULNERABILITY
The RFC 2616 defines the HTTP protocol. The RFC 3986 defines the
syntax of uris. For example:
http://server/page?var1=val1&var2=val2
Both RFC do not define how to handle urls containing several times
the same variable name. For example:
http://server/page?var=val1&var=val2
Developers of HTTP service thus made different choices:
– ASP.NET : the value is the concatenation of parameters
("val1,val2")
– PHP : the value is the last parameter ("val2")
– JSP : the value is the first parameter ("val1")
– Zope : the value is an array ([’val1’, ’val2’])
Similarly, if a parameter is defined in the Query String and in a
Cookie, behavior diverge. For example:
POST /page?var=val1
Cookie: var=val2
\n
var=val3
An attacker can therefore use these incoherent behavior in order
to bypass an IDS or web filtering modules.
Theses vulnerabilities were named HPP (HTTP Parameter Pollution).
CHARACTERISTICS
Identifiers: VIGILANCE-VUL-8726
http://vigilance.fr/vulnerability/HTTP-incoherent-handling-of-parameters-8726