ninenines cowlib CRLF Injection Vulnerability Allowing HTTP Request Splitting and Cookie Smuggling

A CRLF injection vulnerability has been identified in ninenines cowlib version 2.9.0 and later. This issue arises from the cow_cookie:cookie/1 function, which constructs a Cookie: request header from unvalidated name-value pairs. An attacker can exploit this by injecting specific characters into the cookie names or values, leading to HTTP request splitting and cookie smuggling. The vulnerability allows the injection of CRLF characters to append arbitrary headers or to smuggle a complete second request through a shared upstream proxy. Additionally, it enables the injection of phantom cookies that the receiving server may mistakenly recognize as legitimate.

Impact

Exploitation of this vulnerability could result in HTTP request header splitting and cookie smuggling, allowing attackers to manipulate cookie data and request headers in a way that could be exploited by the server or an upstream proxy.

Reproduction

To reproduce this vulnerability, pass attacker-controlled cookie names or values to the cow_cookie:cookie/1 function. The injected characters can include CR, LF, TAB, or specific cookie manipulation characters. Once the cookies are processed by the vulnerable function, the injection will be reflected in the serialized Cookie: header, enabling the splitting of HTTP requests or the smuggling of cookies.

Remediation

A preliminary patch for this vulnerability has been made available in the erlef fork of cowlib. Validate cookie names and values to ensure they conform to the standards set by RFC 6265 before using them with the cow_cookie:cookie/1 function.