[CKAN-Security] HTTP Response Splitting vulnerability
Adrià Mercader
adria.mercader at okfn.org
Tue Feb 14 14:14:24 UTC 2017
Hi Víctor,
Just to let you know that a patch for this issue will be included on
the next patch release for CKAN, which will hopefully be released next
Wednesday.
Thanks for reporting it.
Adrià
On 19 December 2016 at 10:23, Víctor García Guillén <vgarciag at gmail.com> wrote:
> Hi,
>
> I recently Open an issue in the CKAN Github. It was closed and in the
> comment refer me to write to this email.
>
> The content of this issue is:
>
> In a recent security audit of our CKAN server we have security vulnerability
> related to the http headers.
>
> This seccurity vulnerability is related to a HTTP Response Splitting
>
> This vulnerability is more datailed here
> https://prakharprasad.com/crlf-injection-http-response-splitting-explained/.
>
> To fix this issue there are several ways but the better way is to sanitize
> the http headers in
> the CKAN code as is explained here in this Java code:
> http://stackoverflow.com/questions/16439618/how-to-fix-the-http-response-splitting-vulnerability-with-esapi
>
>
> Please comment me if you need more information to ask to the security
> auditors.
>
> Regards
>
> _______________________________________________
> CKAN security
> https://lists.okfn.org/mailman/listinfo/security
> https://lists.okfn.org/mailman/options/security/adria.mercader%40okfn.org
>
> Repo: https://github.com/ckan/ckan-security
More information about the Security
mailing list