[CKAN-Security] Fwd: HTTP Response Splitting vulnerability

Ian Ward ian at excess.org
Tue Jan 3 15:32:49 UTC 2017


I wonder if that's what's breaking my search parameters when toggling
languages.. Is there a reason the language selector can't just link to
the correct url?

On Tue, Jan 3, 2017 at 10:29 AM, David Read
<david.read at hackneyworkshop.com> wrote:
> I think it is used by the language selector. I persuaded someone to
> add in a domain check, so it doesn't redirect to other sites, so it's
> not 'open', but it's still not great.
>
> D
>
> On 3 January 2017 at 15:22, Ian Ward <ian at excess.org> wrote:
>> Hmm. What's the reason we have an open redirect in the first place?
>>
>> On Tue, Jan 3, 2017 at 4:37 AM, David Read
>> <david.read at hackneyworkshop.com> wrote:
>>> ---------- Forwarded message ----------
>>> From: Víctor García Guillén <vgarciag at gmail.com>
>>> Date: 3 January 2017 at 08:48
>>> Subject: Re: [CKAN-Security] HTTP Response Splitting vulnerability
>>> To: David Read <david.read at hackneyworkshop.com>
>>>
>>>
>>> Hi,
>>>
>>>    the test is a simply curl, you can test it against our
>>> preproduction Ckan site:
>>>
>>> curl -k -I "https://opendata-pre.vlci.valencia.es:8443/util/redirect?url=%0d%0a%20HeaderInjection:owned"
>>>
>>>    In the response headers the injected header (" HeaderInjection") is
>>> shown returned by server.
>>>
>>>    I try to check if in the Ckan demo site occurs the same but it
>>> returns an error 500:
>>>
>>> curl -I "http://demo.ckan.org/util/redirect?url=%0d%0a%20HeaderInjection%3aowned"
>>>
>>> Regards
>>>
>>> 2017-01-02 10:33 GMT+01:00 Víctor García Guillén <vgarciag at gmail.com>:
>>>>
>>>> Hi David,
>>>>
>>>>    sorry for the delay in responding. Today I write to the security team because in the report explains the vulnerability but not the test that discover this issue.
>>>>
>>>>    As soon as I have this information I submit it.
>>>>
>>>>    Regards and happy new year.
>>>>
>>>> 2016-12-22 10:52 GMT+01:00 David Read <david.read at hackneyworkshop.com>:
>>>>>
>>>>> Victor,
>>>>>
>>>>> Thanks for highlighting a potential CRLF vulnerability. Can you ask
>>>>> your auditors for the specifics of how to demonstrate the issue? This
>>>>> should be included in your test report.
>>>>>
>>>>> David
>>>>>
>>>>> On 22 December 2016 at 09:52, David Read <david.read at hackneyworkshop.com> wrote:
>>>>> > Victor,
>>>>> >
>>>>> > Thanks for highlighting a potential CRLF vulnerability. Can you ask
>>>>> > your auditors for the specifics of how to demonstrate the issue? This
>>>>> > should be included in your test report.
>>>>> >
>>>>> > David
>>>>> >
>>>>> > On 19 December 2016 at 10:23, Víctor García Guillén <vgarciag at gmail.com> wrote:
>>>>> >> Hi,
>>>>> >>
>>>>> >>    I recently Open an issue in the CKAN Github. It was closed and in the
>>>>> >> comment refer me to write to this email.
>>>>> >>
>>>>> >>    The content of this issue is:
>>>>> >>
>>>>> >> In a recent security audit of our CKAN server we have security vulnerability
>>>>> >> related to the http headers.
>>>>> >>
>>>>> >> This seccurity vulnerability is related to a HTTP Response Splitting
>>>>> >>
>>>>> >> This vulnerability is more datailed here
>>>>> >> https://prakharprasad.com/crlf-injection-http-response-splitting-explained/.
>>>>> >>
>>>>> >> To fix this issue there are several ways but the better way is to sanitize
>>>>> >> the http headers in
>>>>> >> the CKAN code as is explained here in this Java code:
>>>>> >> http://stackoverflow.com/questions/16439618/how-to-fix-the-http-response-splitting-vulnerability-with-esapi
>>>>> >>
>>>>> >>
>>>>> >>    Please comment me if you need more information to ask to the security
>>>>> >> auditors.
>>>>> >>
>>>>> >>  Regards
>>>>> >>
>>>>> >> _______________________________________________
>>>>> >> CKAN security
>>>>> >> https://lists.okfn.org/mailman/listinfo/security
>>>>> >> https://lists.okfn.org/mailman/options/security/david.read%40hackneyworkshop.com
>>>>> >>
>>>>> >> Repo: https://github.com/ckan/ckan-security
>>>>
>>>>
>>> _______________________________________________
>>> CKAN security
>>> https://lists.okfn.org/mailman/listinfo/security
>>> https://lists.okfn.org/mailman/options/security/ian%40excess.org
>>>
>>> Repo: https://github.com/ckan/ckan-security
>> _______________________________________________
>> CKAN security
>> https://lists.okfn.org/mailman/listinfo/security
>> https://lists.okfn.org/mailman/options/security/david.read%40hackneyworkshop.com
>>
>> Repo: https://github.com/ckan/ckan-security
> _______________________________________________
> CKAN security
> https://lists.okfn.org/mailman/listinfo/security
> https://lists.okfn.org/mailman/options/security/ian%40excess.org
>
> Repo: https://github.com/ckan/ckan-security



More information about the Security mailing list