[CKAN-Security] Fwd: HTTP Response Splitting vulnerability

David Read david.read at hackneyworkshop.com
Tue Jan 3 09:37:45 UTC 2017


---------- Forwarded message ----------
From: Víctor García Guillén <vgarciag at gmail.com>
Date: 3 January 2017 at 08:48
Subject: Re: [CKAN-Security] HTTP Response Splitting vulnerability
To: David Read <david.read at hackneyworkshop.com>


Hi,

   the test is a simply curl, you can test it against our
preproduction Ckan site:

curl -k -I "https://opendata-pre.vlci.valencia.es:8443/util/redirect?url=%0d%0a%20HeaderInjection:owned"

   In the response headers the injected header (" HeaderInjection") is
shown returned by server.

   I try to check if in the Ckan demo site occurs the same but it
returns an error 500:

curl -I "http://demo.ckan.org/util/redirect?url=%0d%0a%20HeaderInjection%3aowned"

Regards

2017-01-02 10:33 GMT+01:00 Víctor García Guillén <vgarciag at gmail.com>:
>
> Hi David,
>
>    sorry for the delay in responding. Today I write to the security team because in the report explains the vulnerability but not the test that discover this issue.
>
>    As soon as I have this information I submit it.
>
>    Regards and happy new year.
>
> 2016-12-22 10:52 GMT+01:00 David Read <david.read at hackneyworkshop.com>:
>>
>> Victor,
>>
>> Thanks for highlighting a potential CRLF vulnerability. Can you ask
>> your auditors for the specifics of how to demonstrate the issue? This
>> should be included in your test report.
>>
>> David
>>
>> On 22 December 2016 at 09:52, David Read <david.read at hackneyworkshop.com> wrote:
>> > Victor,
>> >
>> > Thanks for highlighting a potential CRLF vulnerability. Can you ask
>> > your auditors for the specifics of how to demonstrate the issue? This
>> > should be included in your test report.
>> >
>> > David
>> >
>> > On 19 December 2016 at 10:23, Víctor García Guillén <vgarciag at gmail.com> wrote:
>> >> Hi,
>> >>
>> >>    I recently Open an issue in the CKAN Github. It was closed and in the
>> >> comment refer me to write to this email.
>> >>
>> >>    The content of this issue is:
>> >>
>> >> In a recent security audit of our CKAN server we have security vulnerability
>> >> related to the http headers.
>> >>
>> >> This seccurity vulnerability is related to a HTTP Response Splitting
>> >>
>> >> This vulnerability is more datailed here
>> >> https://prakharprasad.com/crlf-injection-http-response-splitting-explained/.
>> >>
>> >> To fix this issue there are several ways but the better way is to sanitize
>> >> the http headers in
>> >> the CKAN code as is explained here in this Java code:
>> >> http://stackoverflow.com/questions/16439618/how-to-fix-the-http-response-splitting-vulnerability-with-esapi
>> >>
>> >>
>> >>    Please comment me if you need more information to ask to the security
>> >> auditors.
>> >>
>> >>  Regards
>> >>
>> >> _______________________________________________
>> >> CKAN security
>> >> https://lists.okfn.org/mailman/listinfo/security
>> >> https://lists.okfn.org/mailman/options/security/david.read%40hackneyworkshop.com
>> >>
>> >> Repo: https://github.com/ckan/ckan-security
>
>



More information about the Security mailing list