|0001_fix set cookie CVE 2015 1820.patch | (download)
57 43 + 14 - 0 !
5 3 + 2 - 0 !
4 2 + 2 - 0 !
7 2 + 5 - 0 !
4 files changed, 50 insertions(+), 23 deletions(-)
cve-2015-1820: rest-client passes values from set-cookie headers to arbitrary redirection target
When Ruby rest-client processes an HTTP redirection response, it blindly passes
along the values from any Set-Cookie headers to the redirection target,
regardless of domain, path, or expiration.
This is very similar to CVE-2015-2296, which affected python-requests.
The issue could be similarly exploited in the following ways:
* If you are the redirection source (i.e. you can make rest-client hit your
URL), you can make rest-client perform a request to any third-party domain with
cookies of your choosing. This may be useful in performing a session fixation
* If you are the redirection target (i.e. you can make a third-party
site redirect to your URL), you can steal any cookies set by the third-party