I noticed that the
redirect_uri used to redirect users to any location on the page, passes in all data into a
header("Location.. without any validation. The problem is that PHP (current PHP-versions of Debian/Ubuntu, there seem to be a patch properly in place in other dists) actually built the header-function according to RFC1945 which says:
HTTP/1.0 headers may be folded onto multiple lines if each
continuation line begins with a space or horizontal tab. All linear
whitespace, including folding, has the same semantics as SP.
This means that doing the following request:
Will result in the following response:
The problem is that IE is actually not caring at all about that rule from RFC1945 and will strip the tab-character from that header and listen to it:
You should most likely disallow this character sequence completely so the failed backported versions of PHP won't do this. Properly secured PHP versions will fail doing the request due to new-lines in the header.