Exploiting CVE-2008-4283 - HTTP Response Spliting (CRLF Injection) in Websphere 5.1

I found this vuln a while back, but never successfully published the exploit after working with the vendor (IBM).  I say "succesfully", because I tried submitting it to securityfocus but it never got updated.

In short, this is how to exploit it.

By inserting %0A's onto the ibm_security_logout URL, a line feed character is injected into the 302 redirect URL, which allows you to insert custom headers.  Since it's in a 302, your options are pretty limited, but you can still set a cookie.

Here's a normal URL:

site.com/ibm_security_logout?logoutExitPage=

If the session cookie is not updated upon authentication, you can link this user and set their cookie to yours, and have them log you in.

This URL is an example exploit which sets a cookie:

site.com?logoutExitPage=%3F%0ASet-Cookie%3A+JSESSIONID%3D0000H7liWOfzyCDua8CBmxbIeqn%3Avtaz0lnc%3BPath%3D/%3B+Secure