[CKAN-Security] HTTP Response Splitting vulnerability

• Previous message: [CKAN-Security] HTTP Response Splitting vulnerability
• Next message: [CKAN-Security] HTTP Response Splitting vulnerability
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Victor,

Thanks for highlighting a potential CRLF vulnerability. Can you ask
your auditors for the specifics of how to demonstrate the issue? This
should be included in your test report.

David

On 19 December 2016 at 10:23, Víctor García Guillén <vgarciag at gmail.com> wrote:
> Hi,
>
>    I recently Open an issue in the CKAN Github. It was closed and in the
> comment refer me to write to this email.
>
>    The content of this issue is:
>
> In a recent security audit of our CKAN server we have security vulnerability
> related to the http headers.
>
> This seccurity vulnerability is related to a HTTP Response Splitting
>
> This vulnerability is more datailed here
> https://prakharprasad.com/crlf-injection-http-response-splitting-explained/.
>
> To fix this issue there are several ways but the better way is to sanitize
> the http headers in
> the CKAN code as is explained here in this Java code:
> http://stackoverflow.com/questions/16439618/how-to-fix-the-http-response-splitting-vulnerability-with-esapi
>
>
>    Please comment me if you need more information to ask to the security
> auditors.
>
>  Regards
>
> _______________________________________________
> CKAN security
> https://lists.okfn.org/mailman/listinfo/security
> https://lists.okfn.org/mailman/options/security/david.read%40hackneyworkshop.com
>
> Repo: https://github.com/ckan/ckan-security

• Previous message: [CKAN-Security] HTTP Response Splitting vulnerability
• Next message: [CKAN-Security] HTTP Response Splitting vulnerability
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]