-
Notifications
You must be signed in to change notification settings - Fork 310
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Improper Neutralization of CRLF Sequences in HTTP Headers #67
Comments
Details CRLF is an abbreviation for the terms "carriage return" and "line feed." These two special characters are a legacy of old-fashioned printing terminals used in the early days of computing. However, today both are still often used as delimiters between data. When this weakness exists, CR and LF characters (represented respectively in code as \r and \n) are permitted to be present in HTTP headers, usually due to poor planning for data handling during development. CRLF sequences in HTTP headers are known as "response splitting" because these characters effectively split the response from the browser, causing the single line to be accepted as multiple lines by the server (for example, the single line First Line\r\nSecond Line would be accepted by the server as two lines of input). While response splitting in itself is not an attack, and can be completely harmless unless exploited, its presence could lead to an injection attack (known as CRLF injection) and a variety of unpredictable and potentially dangerous behavior. This weakness can be exploited in a number of ways, such as page hijacking or cross-user defacement, in which an attacker displays false site content and/or captures confidential information such as credentials. It can even lead to cross-site scripting attacks, in which attackers can cause malicious code to execute in the user's browser. For example, the following code is vulnerable: protected void doGet(HttpServletRequest request, HttpServletResponse response) { because the user may provide a name parameter with a value like XYZ\r\nHTTP/1.1 200 OK\nATTACKER CONTROLLED. In this case, they will produce a second HTTP response: HTTP/1.1 200 OK A possible fix is to remove all non-alphanumerical characters: protected void doGet(HttpServletRequest request, HttpServletResponse response) { In this case, the attacker would be unable to produce a second HTTP response.
|
lines 661 ,
664, ssdpReq.setUSN(serviceUSN);
686, ssdpReq.setUSN(devUSN);
711, dev.postSearchResponse(ssdpPacket, serviceNT, serviceUSN);
716, dev.postSearchResponse(ssdpPacket, serviceType, serviceUSN);
Unsanitized input from data from a remote resource flows into setHeader and reaches an HTTP header returned to the user. This may allow a malicious input that contain CR/LF to split the http response into two responses and the second response to be controlled by the attacker. This may be used to mount a range of attacks such as cross-site scripting or cache poisoning.
router/java/src/org/cybergarage/upnp/Service.java#L661)
The text was updated successfully, but these errors were encountered: