[CKAN-Security] HTTP Response Splitting vulnerability
David Read
david.read at hackneyworkshop.com
Thu Dec 22 09:52:38 UTC 2016
Victor,
Thanks for highlighting a potential CRLF vulnerability. Can you ask
your auditors for the specifics of how to demonstrate the issue? This
should be included in your test report.
David
On 22 December 2016 at 09:52, David Read <david.read at hackneyworkshop.com> wrote:
> Victor,
>
> Thanks for highlighting a potential CRLF vulnerability. Can you ask
> your auditors for the specifics of how to demonstrate the issue? This
> should be included in your test report.
>
> David
>
> On 19 December 2016 at 10:23, Víctor García Guillén <vgarciag at gmail.com> wrote:
>> Hi,
>>
>> I recently Open an issue in the CKAN Github. It was closed and in the
>> comment refer me to write to this email.
>>
>> The content of this issue is:
>>
>> In a recent security audit of our CKAN server we have security vulnerability
>> related to the http headers.
>>
>> This seccurity vulnerability is related to a HTTP Response Splitting
>>
>> This vulnerability is more datailed here
>> https://prakharprasad.com/crlf-injection-http-response-splitting-explained/.
>>
>> To fix this issue there are several ways but the better way is to sanitize
>> the http headers in
>> the CKAN code as is explained here in this Java code:
>> http://stackoverflow.com/questions/16439618/how-to-fix-the-http-response-splitting-vulnerability-with-esapi
>>
>>
>> Please comment me if you need more information to ask to the security
>> auditors.
>>
>> Regards
>>
>> _______________________________________________
>> CKAN security
>> https://lists.okfn.org/mailman/listinfo/security
>> https://lists.okfn.org/mailman/options/security/david.read%40hackneyworkshop.com
>>
>> Repo: https://github.com/ckan/ckan-security
More information about the Security
mailing list