[CKAN-Security] HTTP Response Splitting vulnerability

Víctor García Guillén vgarciag at gmail.com
Mon Dec 19 10:23:22 UTC 2016


Hi,

   I recently Open an issue <https://github.com/ckan/ckan/issues/3371> in
the CKAN Github <https://github.com/ckan/ckan>. It was closed and in the
comment refer me to write to this email.

   The content of this issue is:

In a recent security audit of our CKAN server we have security
vulnerability related to the http headers.

This seccurity vulnerability is related to a HTTP Response Splitting
<https://www.owasp.org/index.php/HTTP_Response_Splitting>

This vulnerability is more datailed here
https://prakharprasad.com/crlf-injection-http-response-splitting-explained/.

To fix this issue there are several ways but the better way is to sanitize
the http headers in
the CKAN code as is explained here in this Java code:
http://stackoverflow.com/questions/16439618/how-to-fix-the-http-response-splitting-vulnerability-with-esapi


   Please comment me if you need more information to ask to the security
auditors.

 Regards
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.okfn.org/mailman/private/security/attachments/20161219/bb2b6eeb/attachment.html>


More information about the Security mailing list