[CKAN-Security] Fwd: HTTP Response Splitting vulnerability

Tue Jan 3 15:22:34 UTC 2017

Hmm. What's the reason we have an open redirect in the first place?

On Tue, Jan 3, 2017 at 4:37 AM, David Read
<david.read at hackneyworkshop.com> wrote:
> ---------- Forwarded message ----------
> From: Víctor García Guillén <vgarciag at gmail.com>
> Date: 3 January 2017 at 08:48
> Subject: Re: [CKAN-Security] HTTP Response Splitting vulnerability
> To: David Read <david.read at hackneyworkshop.com>
>
>
> Hi,
>
>    the test is a simply curl, you can test it against our
> preproduction Ckan site:
>
> curl -k -I "https://opendata-pre.vlci.valencia.es:8443/util/redirect?url=%0d%0a%20HeaderInjection:owned"
>
>    In the response headers the injected header (" HeaderInjection") is
> shown returned by server.
>
>    I try to check if in the Ckan demo site occurs the same but it
> returns an error 500:
>
> curl -I "http://demo.ckan.org/util/redirect?url=%0d%0a%20HeaderInjection%3aowned"
>
> Regards
>
> 2017-01-02 10:33 GMT+01:00 Víctor García Guillén <vgarciag at gmail.com>:
>>
>> Hi David,
>>
>>    sorry for the delay in responding. Today I write to the security team because in the report explains the vulnerability but not the test that discover this issue.
>>
>>    As soon as I have this information I submit it.
>>
>>    Regards and happy new year.
>>
>> 2016-12-22 10:52 GMT+01:00 David Read <david.read at hackneyworkshop.com>:
>>>
>>> Victor,
>>>
>>> Thanks for highlighting a potential CRLF vulnerability. Can you ask
>>> your auditors for the specifics of how to demonstrate the issue? This
>>> should be included in your test report.
>>>
>>> David
>>>
>>> On 22 December 2016 at 09:52, David Read <david.read at hackneyworkshop.com> wrote:
>>> > Victor,
>>> >
>>> > Thanks for highlighting a potential CRLF vulnerability. Can you ask
>>> > your auditors for the specifics of how to demonstrate the issue? This
>>> > should be included in your test report.
>>> >
>>> > David
>>> >
>>> > On 19 December 2016 at 10:23, Víctor García Guillén <vgarciag at gmail.com> wrote:
>>> >> Hi,
>>> >>
>>> >>    I recently Open an issue in the CKAN Github. It was closed and in the
>>> >> comment refer me to write to this email.
>>> >>
>>> >>    The content of this issue is:
>>> >>
>>> >> In a recent security audit of our CKAN server we have security vulnerability
>>> >> related to the http headers.
>>> >>
>>> >> This seccurity vulnerability is related to a HTTP Response Splitting
>>> >>
>>> >> This vulnerability is more datailed here
>>> >> https://prakharprasad.com/crlf-injection-http-response-splitting-explained/.
>>> >>
>>> >> To fix this issue there are several ways but the better way is to sanitize
>>> >> the http headers in
>>> >> the CKAN code as is explained here in this Java code:
>>> >> http://stackoverflow.com/questions/16439618/how-to-fix-the-http-response-splitting-vulnerability-with-esapi
>>> >>
>>> >>
>>> >>    Please comment me if you need more information to ask to the security
>>> >> auditors.
>>> >>
>>> >>  Regards
>>> >>
>>> >> _______________________________________________
>>> >> CKAN security
>>> >> https://lists.okfn.org/mailman/listinfo/security
>>> >> https://lists.okfn.org/mailman/options/security/david.read%40hackneyworkshop.com
>>> >>
>>> >> Repo: https://github.com/ckan/ckan-security
>>
>>
> _______________________________________________
> CKAN security
> https://lists.okfn.org/mailman/listinfo/security
> https://lists.okfn.org/mailman/options/security/ian%40excess.org
>
> Repo: https://github.com/ckan/ckan-security