[CKAN-Security] HTTP Response Splitting vulnerability

David Read david.read at hackneyworkshop.com
Wed Jan 18 10:15:07 UTC 2017


Victor,

Firstly, could you delete the issue:
https://github.com/ckan/ckan/issues/3371
as disclosing this publicly is very bad.

I forwarded it to the security list. There was a proposed fix and at
some point they will issue patches. For more information, address the
list.

David

On 18 January 2017 at 09:56, Víctor García Guillén <vgarciag at gmail.com> wrote:
> Hi, David,
>
>    any advance in this issue?
>
> Regards
>
> 2017-01-03 9:48 GMT+01:00 Víctor García Guillén <vgarciag at gmail.com>:
>>
>> Hi,
>>
>>    the test is a simply curl, you can test it against our preproduction
>> Ckan site:
>>
>> curl -k -I
>> "https://opendata-pre.vlci.valencia.es:8443/util/redirect?url=%0d%0a%20HeaderInjection:owned"
>>
>>    In the response headers the injected header (" HeaderInjection") is
>> shown returned by server.
>>
>>    I try to check if in the Ckan demo site occurs the same but it returns
>> an error 500:
>>
>> curl -I
>> "http://demo.ckan.org/util/redirect?url=%0d%0a%20HeaderInjection%3aowned"
>>
>> Regards
>>
>> 2017-01-02 10:33 GMT+01:00 Víctor García Guillén <vgarciag at gmail.com>:
>>>
>>> Hi David,
>>>
>>>    sorry for the delay in responding. Today I write to the security team
>>> because in the report explains the vulnerability but not the test that
>>> discover this issue.
>>>
>>>    As soon as I have this information I submit it.
>>>
>>>    Regards and happy new year.
>>>
>>> 2016-12-22 10:52 GMT+01:00 David Read <david.read at hackneyworkshop.com>:
>>>>
>>>> Victor,
>>>>
>>>> Thanks for highlighting a potential CRLF vulnerability. Can you ask
>>>> your auditors for the specifics of how to demonstrate the issue? This
>>>> should be included in your test report.
>>>>
>>>> David
>>>>
>>>> On 22 December 2016 at 09:52, David Read
>>>> <david.read at hackneyworkshop.com> wrote:
>>>> > Victor,
>>>> >
>>>> > Thanks for highlighting a potential CRLF vulnerability. Can you ask
>>>> > your auditors for the specifics of how to demonstrate the issue? This
>>>> > should be included in your test report.
>>>> >
>>>> > David
>>>> >
>>>> > On 19 December 2016 at 10:23, Víctor García Guillén
>>>> > <vgarciag at gmail.com> wrote:
>>>> >> Hi,
>>>> >>
>>>> >>    I recently Open an issue in the CKAN Github. It was closed and in
>>>> >> the
>>>> >> comment refer me to write to this email.
>>>> >>
>>>> >>    The content of this issue is:
>>>> >>
>>>> >> In a recent security audit of our CKAN server we have security
>>>> >> vulnerability
>>>> >> related to the http headers.
>>>> >>
>>>> >> This seccurity vulnerability is related to a HTTP Response Splitting
>>>> >>
>>>> >> This vulnerability is more datailed here
>>>> >>
>>>> >> https://prakharprasad.com/crlf-injection-http-response-splitting-explained/.
>>>> >>
>>>> >> To fix this issue there are several ways but the better way is to
>>>> >> sanitize
>>>> >> the http headers in
>>>> >> the CKAN code as is explained here in this Java code:
>>>> >>
>>>> >> http://stackoverflow.com/questions/16439618/how-to-fix-the-http-response-splitting-vulnerability-with-esapi
>>>> >>
>>>> >>
>>>> >>    Please comment me if you need more information to ask to the
>>>> >> security
>>>> >> auditors.
>>>> >>
>>>> >>  Regards
>>>> >>
>>>> >> _______________________________________________
>>>> >> CKAN security
>>>> >> https://lists.okfn.org/mailman/listinfo/security
>>>> >>
>>>> >> https://lists.okfn.org/mailman/options/security/david.read%40hackneyworkshop.com
>>>> >>
>>>> >> Repo: https://github.com/ckan/ckan-security
>>>
>>>
>>
>


More information about the Security mailing list