redirect() in bottle.py in bottle 0.12.10 doesnt filter a rn sequence, which leads to a CRLF attack, as demonstrated by a redirect(233rnSet-Cookie: name=salt) call.
Weakness
The product uses CRLF (carriage return line feeds) as a special element, e.g. to separate lines or records, but it does not neutralize or incorrectly neutralizes CRLF sequences from inputs.
Affected Software
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Bottle | Bottlepy | 0.12.10 (including) | 0.12.10 (including) |
| Python-bottle | Ubuntu | esm-apps/xenial | * |
| Python-bottle | Ubuntu | esm-infra-legacy/trusty | * |
| Python-bottle | Ubuntu | precise | * |
| Python-bottle | Ubuntu | trusty | * |
| Python-bottle | Ubuntu | trusty/esm | * |
| Python-bottle | Ubuntu | upstream | * |
| Python-bottle | Ubuntu | xenial | * |
| Python-bottle | Ubuntu | yakkety | * |
Potential Mitigations
Related Attack Patterns
References
- http://www.debian.org/security/2016/dsa-3743
- http://www.securityfocus.com/bid/94961
- https://github.com/bottlepy/bottle/commit/6d7e13da0f998820800ecb3fe9ccee4189aefb54
- https://github.com/bottlepy/bottle/issues/913
- http://www.debian.org/security/2016/dsa-3743
- http://www.securityfocus.com/bid/94961
- https://github.com/bottlepy/bottle/commit/6d7e13da0f998820800ecb3fe9ccee4189aefb54
- https://github.com/bottlepy/bottle/issues/913