CVE-2013-6166

Chromium 25.0.1364.160, Iceweasel/Firefox 19 and
probably many other browsers allow javascript to set broken cookie
values, leading to possible permanent "400 Bad Request" responses. The
broken value might be set by 3rd party libraries.

For example the google analytics code is vulnerable, as it sets cookie
values based on parameters in the referer query string. lighttpd does
not allow control characters in http header values, so any lighttpd
site using google analytics is vulnerable if you can get the user to
follow a link (img tag for example) to that site like this:

http://www.example.com/?utm_source=test&utm_medium=test&utm_campaign=te%05st


Afaik apache doesn't check the cookie values (or perhaps removes the
broken characters). Imho they are responsible for this mess :)

To be clear: the bug is in the browser / javascript implementation:

document.cookie MUST NOT allow cookie values which include certain
control characters. Javascript applications should not use 8-bit
characters.

(If browser vendors want to allow broken cookie values to be stored,
they MUST NOT send them to the server; in this case javascript
applications can still read the broken values. But I don't think this
is a good idea.)

The safe character set for HTTP header values is: %x20-7E; %x80-FF is
obsoleted by the current draft.

"A recipient MAY replace any linear white space with a single SP before
interpreting the field value", so horizontal tabs are not "safe" - they
might get converted to a space, but are not forbidden (also multiple
spaces can get replaced by a single one).


References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-6166
http://www.openwall.com/lists/oss-security/2013/04/03/10
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6166
http://www.cvedetails.com/cve/CVE-2013-6166/
https://code.google.com/p/chromium/issues/detail?id=238041
http://seclists.org/oss-sec/2013/q4/121
http://seclists.org/oss-sec/2013/q4/117
http://redmine.lighttpd.net/issues/2188