[CKAN-Security] Fwd: HTTP Response Splitting vulnerability

David Read david.read at hackneyworkshop.com
Tue Jan 3 15:36:39 UTC 2017


Ian,
Good question. I'm afraid I've not looked at the details.
Dave

On 3 January 2017 at 15:32, Ian Ward <ian at excess.org> wrote:
> I wonder if that's what's breaking my search parameters when toggling
> languages.. Is there a reason the language selector can't just link to
> the correct url?
>
> On Tue, Jan 3, 2017 at 10:29 AM, David Read
> <david.read at hackneyworkshop.com> wrote:
>> I think it is used by the language selector. I persuaded someone to
>> add in a domain check, so it doesn't redirect to other sites, so it's
>> not 'open', but it's still not great.
>>
>> D
>>
>> On 3 January 2017 at 15:22, Ian Ward <ian at excess.org> wrote:
>>> Hmm. What's the reason we have an open redirect in the first place?
>>>
>>> On Tue, Jan 3, 2017 at 4:37 AM, David Read
>>> <david.read at hackneyworkshop.com> wrote:
>>>> ---------- Forwarded message ----------
>>>> From: Víctor García Guillén <vgarciag at gmail.com>
>>>> Date: 3 January 2017 at 08:48
>>>> Subject: Re: [CKAN-Security] HTTP Response Splitting vulnerability
>>>> To: David Read <david.read at hackneyworkshop.com>
>>>>
>>>>
>>>> Hi,
>>>>
>>>>    the test is a simply curl, you can test it against our
>>>> preproduction Ckan site:
>>>>
>>>> curl -k -I "https://opendata-pre.vlci.valencia.es:8443/util/redirect?url=%0d%0a%20HeaderInjection:owned"
>>>>
>>>>    In the response headers the injected header (" HeaderInjection") is
>>>> shown returned by server.
>>>>
>>>>    I try to check if in the Ckan demo site occurs the same but it
>>>> returns an error 500:
>>>>
>>>> curl -I "http://demo.ckan.org/util/redirect?url=%0d%0a%20HeaderInjection%3aowned"
>>>>
>>>> Regards
>>>>
>>>> 2017-01-02 10:33 GMT+01:00 Víctor García Guillén <vgarciag at gmail.com>:
>>>>>
>>>>> Hi David,
>>>>>
>>>>>    sorry for the delay in responding. Today I write to the security team because in the report explains the vulnerability but not the test that discover this issue.
>>>>>
>>>>>    As soon as I have this information I submit it.
>>>>>
>>>>>    Regards and happy new year.
>>>>>
>>>>> 2016-12-22 10:52 GMT+01:00 David Read <david.read at hackneyworkshop.com>:
>>>>>>
>>>>>> Victor,
>>>>>>
>>>>>> Thanks for highlighting a potential CRLF vulnerability. Can you ask
>>>>>> your auditors for the specifics of how to demonstrate the issue? This
>>>>>> should be included in your test report.
>>>>>>
>>>>>> David
>>>>>>
>>>>>> On 22 December 2016 at 09:52, David Read <david.read at hackneyworkshop.com> wrote:
>>>>>> > Victor,
>>>>>> >
>>>>>> > Thanks for highlighting a potential CRLF vulnerability. Can you ask
>>>>>> > your auditors for the specifics of how to demonstrate the issue? This
>>>>>> > should be included in your test report.
>>>>>> >
>>>>>> > David
>>>>>> >
>>>>>> > On 19 December 2016 at 10:23, Víctor García Guillén <vgarciag at gmail.com> wrote:
>>>>>> >> Hi,
>>>>>> >>
>>>>>> >>    I recently Open an issue in the CKAN Github. It was closed and in the
>>>>>> >> comment refer me to write to this email.
>>>>>> >>
>>>>>> >>    The content of this issue is:
>>>>>> >>
>>>>>> >> In a recent security audit of our CKAN server we have security vulnerability
>>>>>> >> related to the http headers.
>>>>>> >>
>>>>>> >> This seccurity vulnerability is related to a HTTP Response Splitting
>>>>>> >>
>>>>>> >> This vulnerability is more datailed here
>>>>>> >> https://prakharprasad.com/crlf-injection-http-response-splitting-explained/.
>>>>>> >>
>>>>>> >> To fix this issue there are several ways but the better way is to sanitize
>>>>>> >> the http headers in
>>>>>> >> the CKAN code as is explained here in this Java code:
>>>>>> >> http://stackoverflow.com/questions/16439618/how-to-fix-the-http-response-splitting-vulnerability-with-esapi
>>>>>> >>
>>>>>> >>
>>>>>> >>    Please comment me if you need more information to ask to the security
>>>>>> >> auditors.
>>>>>> >>
>>>>>> >>  Regards
>>>>>> >>
>>>>>> >> _______________________________________________
>>>>>> >> CKAN security
>>>>>> >> https://lists.okfn.org/mailman/listinfo/security
>>>>>> >> https://lists.okfn.org/mailman/options/security/david.read%40hackneyworkshop.com
>>>>>> >>
>>>>>> >> Repo: https://github.com/ckan/ckan-security
>>>>>
>>>>>
>>>> _______________________________________________
>>>> CKAN security
>>>> https://lists.okfn.org/mailman/listinfo/security
>>>> https://lists.okfn.org/mailman/options/security/ian%40excess.org
>>>>
>>>> Repo: https://github.com/ckan/ckan-security
>>> _______________________________________________
>>> CKAN security
>>> https://lists.okfn.org/mailman/listinfo/security
>>> https://lists.okfn.org/mailman/options/security/david.read%40hackneyworkshop.com
>>>
>>> Repo: https://github.com/ckan/ckan-security
>> _______________________________________________
>> CKAN security
>> https://lists.okfn.org/mailman/listinfo/security
>> https://lists.okfn.org/mailman/options/security/ian%40excess.org
>>
>> Repo: https://github.com/ckan/ckan-security
> _______________________________________________
> CKAN security
> https://lists.okfn.org/mailman/listinfo/security
> https://lists.okfn.org/mailman/options/security/david.read%40hackneyworkshop.com
>
> Repo: https://github.com/ckan/ckan-security



More information about the Security mailing list