[CKAN-Security] Fwd: HTTP Response Splitting vulnerability

David Read david.read at hackneyworkshop.com
Tue Jan 3 15:29:55 UTC 2017


I think it is used by the language selector. I persuaded someone to
add in a domain check, so it doesn't redirect to other sites, so it's
not 'open', but it's still not great.

D

On 3 January 2017 at 15:22, Ian Ward <ian at excess.org> wrote:
> Hmm. What's the reason we have an open redirect in the first place?
>
> On Tue, Jan 3, 2017 at 4:37 AM, David Read
> <david.read at hackneyworkshop.com> wrote:
>> ---------- Forwarded message ----------
>> From: Víctor García Guillén <vgarciag at gmail.com>
>> Date: 3 January 2017 at 08:48
>> Subject: Re: [CKAN-Security] HTTP Response Splitting vulnerability
>> To: David Read <david.read at hackneyworkshop.com>
>>
>>
>> Hi,
>>
>>    the test is a simply curl, you can test it against our
>> preproduction Ckan site:
>>
>> curl -k -I "https://opendata-pre.vlci.valencia.es:8443/util/redirect?url=%0d%0a%20HeaderInjection:owned"
>>
>>    In the response headers the injected header (" HeaderInjection") is
>> shown returned by server.
>>
>>    I try to check if in the Ckan demo site occurs the same but it
>> returns an error 500:
>>
>> curl -I "http://demo.ckan.org/util/redirect?url=%0d%0a%20HeaderInjection%3aowned"
>>
>> Regards
>>
>> 2017-01-02 10:33 GMT+01:00 Víctor García Guillén <vgarciag at gmail.com>:
>>>
>>> Hi David,
>>>
>>>    sorry for the delay in responding. Today I write to the security team because in the report explains the vulnerability but not the test that discover this issue.
>>>
>>>    As soon as I have this information I submit it.
>>>
>>>    Regards and happy new year.
>>>
>>> 2016-12-22 10:52 GMT+01:00 David Read <david.read at hackneyworkshop.com>:
>>>>
>>>> Victor,
>>>>
>>>> Thanks for highlighting a potential CRLF vulnerability. Can you ask
>>>> your auditors for the specifics of how to demonstrate the issue? This
>>>> should be included in your test report.
>>>>
>>>> David
>>>>
>>>> On 22 December 2016 at 09:52, David Read <david.read at hackneyworkshop.com> wrote:
>>>> > Victor,
>>>> >
>>>> > Thanks for highlighting a potential CRLF vulnerability. Can you ask
>>>> > your auditors for the specifics of how to demonstrate the issue? This
>>>> > should be included in your test report.
>>>> >
>>>> > David
>>>> >
>>>> > On 19 December 2016 at 10:23, Víctor García Guillén <vgarciag at gmail.com> wrote:
>>>> >> Hi,
>>>> >>
>>>> >>    I recently Open an issue in the CKAN Github. It was closed and in the
>>>> >> comment refer me to write to this email.
>>>> >>
>>>> >>    The content of this issue is:
>>>> >>
>>>> >> In a recent security audit of our CKAN server we have security vulnerability
>>>> >> related to the http headers.
>>>> >>
>>>> >> This seccurity vulnerability is related to a HTTP Response Splitting
>>>> >>
>>>> >> This vulnerability is more datailed here
>>>> >> https://prakharprasad.com/crlf-injection-http-response-splitting-explained/.
>>>> >>
>>>> >> To fix this issue there are several ways but the better way is to sanitize
>>>> >> the http headers in
>>>> >> the CKAN code as is explained here in this Java code:
>>>> >> http://stackoverflow.com/questions/16439618/how-to-fix-the-http-response-splitting-vulnerability-with-esapi
>>>> >>
>>>> >>
>>>> >>    Please comment me if you need more information to ask to the security
>>>> >> auditors.
>>>> >>
>>>> >>  Regards
>>>> >>
>>>> >> _______________________________________________
>>>> >> CKAN security
>>>> >> https://lists.okfn.org/mailman/listinfo/security
>>>> >> https://lists.okfn.org/mailman/options/security/david.read%40hackneyworkshop.com
>>>> >>
>>>> >> Repo: https://github.com/ckan/ckan-security
>>>
>>>
>> _______________________________________________
>> CKAN security
>> https://lists.okfn.org/mailman/listinfo/security
>> https://lists.okfn.org/mailman/options/security/ian%40excess.org
>>
>> Repo: https://github.com/ckan/ckan-security
> _______________________________________________
> CKAN security
> https://lists.okfn.org/mailman/listinfo/security
> https://lists.okfn.org/mailman/options/security/david.read%40hackneyworkshop.com
>
> Repo: https://github.com/ckan/ckan-security



More information about the Security mailing list