Microdot Header Injection Vulnerability via Unsanitized Cookie Parameters

A header injection vulnerability has been identified in the Microdot web framework, affecting versions prior to 2.6.1. The issue arises in the Response.set_cookie() method, which fails to properly sanitize string inputs, allowing the inclusion of carriage return and newline sequences. This flaw can lead to header injection attacks. Exploitation requires an attacker to first compromise the client, potentially through cross-site scripting (XSS), to send malicious data that the server will store in a cookie for the victim. The vulnerability only affects the compromised client.

Impact

Exploitation of this vulnerability can result in header injection, which may be used to manipulate HTTP response headers, potentially leading to cross-site scripting (XSS) or other injection attacks.

Reproduction

To reproduce this vulnerability, set a cookie using the Response.set_cookie() method with unsanitized data that includes a carriage return and newline sequence. This can be done by first exploiting a cross-site scripting vulnerability to inject the malicious cookie data.

Remediation

Users are advised to upgrade to Microdot version 2.6.1 or later, and to avoid passing untrusted data to the Response.set_cookie() method.