WebKit contains a flaw that allows an attacker to conduct an HTTP response splitting attack. This flaw exists because window.location.href and similar needlessly decode URI-encoded characters. This could allow a remote attacker to insert arbitrary HTTP headers, which are included in a response sent to the server. If an application does not properly filter such a request, it could be used to inject additional headers that manipulate cookies, authentication status, or more.

The vendor has released a patch to address this vulnerability. There are no known workarounds or upgrades to correct this issue. Check the vendor advisory, changelog, or solution in the references section for details.

• Security Tracker: 1027307
• CVE ID: 2012-3696 (see also: NVD)
• Secunia Advisory ID: 50058 50586
• Related OSVDB ID: 84200 84201 84203 84204 84205 84206 84207 84209 84210 84211 84213 84214
• Generic Informational URL: http://en.wikipedia.org/wiki/HTTP_response_splitting
• Vendor Specific Advisory URL: http://support.apple.com/kb/HT5400
  http://support.apple.com/kb/HT5503
• Vendor Specific Solution URL: http://trac.webkit.org/changeset/96779
• Vendor Specific News/Changelog Entry: https://bugs.webkit.org/show_bug.cgi?id=30225

• David Belcher - BlackBerry Security Incident Response Team