[CKAN-Security] HTTP Response Splitting vulnerability

• Previous message: [CKAN-Security] Solr query injection issue
• Next message: [CKAN-Security] Responsible disclosure: CKAN
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi Víctor,

Just to let you know that a patch for this issue will be included on
the next patch release for CKAN, which will hopefully be released next
Wednesday.

Thanks for reporting it.

Adrià

On 19 December 2016 at 10:23, Víctor García Guillén <vgarciag at gmail.com> wrote:
> Hi,
>
>    I recently Open an issue in the CKAN Github. It was closed and in the
> comment refer me to write to this email.
>
>    The content of this issue is:
>
> In a recent security audit of our CKAN server we have security vulnerability
> related to the http headers.
>
> This seccurity vulnerability is related to a HTTP Response Splitting
>
> This vulnerability is more datailed here
> https://prakharprasad.com/crlf-injection-http-response-splitting-explained/.
>
> To fix this issue there are several ways but the better way is to sanitize
> the http headers in
> the CKAN code as is explained here in this Java code:
> http://stackoverflow.com/questions/16439618/how-to-fix-the-http-response-splitting-vulnerability-with-esapi
>
>
>    Please comment me if you need more information to ask to the security
> auditors.
>
>  Regards
>
> _______________________________________________
> CKAN security
> https://lists.okfn.org/mailman/listinfo/security
> https://lists.okfn.org/mailman/options/security/adria.mercader%40okfn.org
>
> Repo: https://github.com/ckan/ckan-security

• Previous message: [CKAN-Security] Solr query injection issue
• Next message: [CKAN-Security] Responsible disclosure: CKAN
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]