Item13797: Possible cache poisoning

With some combination of the web-server configuration (what headers allowed to pass) and other things here is a probability to attack the Foswiki's cache:

for example the request:

curl --header "Referrer: EVILREF" --header "Host: EVILHOST" --header "Evilhead: EVILHEAD" http://foswiki.org/Sandbox/WebHome

could poisoning the cache. (Depends on the web-server config - how it allows (accepts) the Host: and other headers).

In the wrong server config it could result to:

...script class='script JQUERYPLUGIN::FOSWIKI::PREFERENCES foswikiPreferences' type='text/json' ...{
   "SYSTEMWEB" : "System",
   "SCRIPTURLPATH" : "/bin",
   "USERNAME" : "guest",
   "PUBURLPATH" : "/pub",
   "SERVERTIME" : "05 Oct 2015 - 22:33",
   "PUBURL" : "http://EVILHOST/pub",            #NOTE THIS
   "WIKIUSERNAME" : "Main.WikiGuest",
   "WIKINAME" : "WikiGuest",
   "WEB" : "Sandbox",
   "SKIN" : "natedit,pattern",
   "TOPIC" : "SuSu",
   "NAMEFILTER" : "[\\\\\\s\\*?~^\\$@%`\"'\\x26;|\\x3c>\\[\\]#\\x00-\\x1f]",
   "SCRIPTURL" : "http://EVILHOST/bin",    #ALSO THIS
   "USERSWEB" : "Main",
   "SCRIPTSUFFIX" : ""
}

Maybe it isn't a real threat - but better to know it.

The reason: Foswiki blindly outputs any HTTP_\w+ environment variable. For example the %ENV{HTTP_EVILHEAD}% - or the %ENV{HTTP_REFERRER}% in some topic could output (and cache) the crafted header values.

-- JozefMojzis - 05 Oct 2015

Commenting is disabled while not logged in