[CKAN-Security] Fwd: HTTP Response Splitting vulnerability

Wed Jan 4 13:01:23 UTC 2017

The only one I can think of is wanting to support disabled JS, as
redirecting on the client when an option is selected is trivial.

Adrià

On 3 January 2017 at 15:36, David Read <david.read at hackneyworkshop.com>
wrote:

> Ian,
> Good question. I'm afraid I've not looked at the details.
> Dave
>
> On 3 January 2017 at 15:32, Ian Ward <ian at excess.org> wrote:
> > I wonder if that's what's breaking my search parameters when toggling
> > languages.. Is there a reason the language selector can't just link to
> > the correct url?
> >
> > On Tue, Jan 3, 2017 at 10:29 AM, David Read
> > <david.read at hackneyworkshop.com> wrote:
> >> I think it is used by the language selector. I persuaded someone to
> >> add in a domain check, so it doesn't redirect to other sites, so it's
> >> not 'open', but it's still not great.
> >>
> >> D
> >>
> >> On 3 January 2017 at 15:22, Ian Ward <ian at excess.org> wrote:
> >>> Hmm. What's the reason we have an open redirect in the first place?
> >>>
> >>> On Tue, Jan 3, 2017 at 4:37 AM, David Read
> >>> <david.read at hackneyworkshop.com> wrote:
> >>>> ---------- Forwarded message ----------
> >>>> From: Víctor García Guillén <vgarciag at gmail.com>
> >>>> Date: 3 January 2017 at 08:48
> >>>> Subject: Re: [CKAN-Security] HTTP Response Splitting vulnerability
> >>>> To: David Read <david.read at hackneyworkshop.com>
> >>>>
> >>>>
> >>>> Hi,
> >>>>
> >>>>    the test is a simply curl, you can test it against our
> >>>> preproduction Ckan site:
> >>>>
> >>>> curl -k -I "https://opendata-pre.vlci.valencia.es:8443/util/
> redirect?url=%0d%0a%20HeaderInjection:owned"
> >>>>
> >>>>    In the response headers the injected header (" HeaderInjection") is
> >>>> shown returned by server.
> >>>>
> >>>>    I try to check if in the Ckan demo site occurs the same but it
> >>>> returns an error 500:
> >>>>
> >>>> curl -I "http://demo.ckan.org/util/redirect?url=%0d%0a%
> 20HeaderInjection%3aowned"
> >>>>
> >>>> Regards
> >>>>
> >>>> 2017-01-02 10:33 GMT+01:00 Víctor García Guillén <vgarciag at gmail.com
> >:
> >>>>>
> >>>>> Hi David,
> >>>>>
> >>>>>    sorry for the delay in responding. Today I write to the security
> team because in the report explains the vulnerability but not the test that
> discover this issue.
> >>>>>
> >>>>>    As soon as I have this information I submit it.
> >>>>>
> >>>>>    Regards and happy new year.
> >>>>>
> >>>>> 2016-12-22 10:52 GMT+01:00 David Read <david.read at hackneyworkshop.
> com>:
> >>>>>>
> >>>>>> Victor,
> >>>>>>
> >>>>>> Thanks for highlighting a potential CRLF vulnerability. Can you ask
> >>>>>> your auditors for the specifics of how to demonstrate the issue?
> This
> >>>>>> should be included in your test report.
> >>>>>>
> >>>>>> David
> >>>>>>
> >>>>>> On 22 December 2016 at 09:52, David Read <
> david.read at hackneyworkshop.com> wrote:
> >>>>>> > Victor,
> >>>>>> >
> >>>>>> > Thanks for highlighting a potential CRLF vulnerability. Can you
> ask
> >>>>>> > your auditors for the specifics of how to demonstrate the issue?
> This
> >>>>>> > should be included in your test report.
> >>>>>> >
> >>>>>> > David
> >>>>>> >
> >>>>>> > On 19 December 2016 at 10:23, Víctor García Guillén <
> vgarciag at gmail.com> wrote:
> >>>>>> >> Hi,
> >>>>>> >>
> >>>>>> >>    I recently Open an issue in the CKAN Github. It was closed
> and in the
> >>>>>> >> comment refer me to write to this email.
> >>>>>> >>
> >>>>>> >>    The content of this issue is:
> >>>>>> >>
> >>>>>> >> In a recent security audit of our CKAN server we have security
> vulnerability
> >>>>>> >> related to the http headers.
> >>>>>> >>
> >>>>>> >> This seccurity vulnerability is related to a HTTP Response
> Splitting
> >>>>>> >>
> >>>>>> >> This vulnerability is more datailed here
> >>>>>> >> https://prakharprasad.com/crlf-injection-http-response-
> splitting-explained/.
> >>>>>> >>
> >>>>>> >> To fix this issue there are several ways but the better way is
> to sanitize
> >>>>>> >> the http headers in
> >>>>>> >> the CKAN code as is explained here in this Java code:
> >>>>>> >> http://stackoverflow.com/questions/16439618/how-to-fix-
> the-http-response-splitting-vulnerability-with-esapi
> >>>>>> >>
> >>>>>> >>
> >>>>>> >>    Please comment me if you need more information to ask to the
> security
> >>>>>> >> auditors.
> >>>>>> >>
> >>>>>> >>  Regards
> >>>>>> >>
> >>>>>> >> _______________________________________________
> >>>>>> >> CKAN security
> >>>>>> >> https://lists.okfn.org/mailman/listinfo/security
> >>>>>> >> https://lists.okfn.org/mailman/options/security/
> david.read%40hackneyworkshop.com
> >>>>>> >>
> >>>>>> >> Repo: https://github.com/ckan/ckan-security
> >>>>>
> >>>>>
> >>>> _______________________________________________
> >>>> CKAN security
> >>>> https://lists.okfn.org/mailman/listinfo/security
> >>>> https://lists.okfn.org/mailman/options/security/ian%40excess.org
> >>>>
> >>>> Repo: https://github.com/ckan/ckan-security
> >>> _______________________________________________
> >>> CKAN security
> >>> https://lists.okfn.org/mailman/listinfo/security
> >>> https://lists.okfn.org/mailman/options/security/
> david.read%40hackneyworkshop.com
> >>>
> >>> Repo: https://github.com/ckan/ckan-security
> >> _______________________________________________
> >> CKAN security
> >> https://lists.okfn.org/mailman/listinfo/security
> >> https://lists.okfn.org/mailman/options/security/ian%40excess.org
> >>
> >> Repo: https://github.com/ckan/ckan-security
> > _______________________________________________
> > CKAN security
> > https://lists.okfn.org/mailman/listinfo/security
> > https://lists.okfn.org/mailman/options/security/
> david.read%40hackneyworkshop.com
> >
> > Repo: https://github.com/ckan/ckan-security
> _______________________________________________
> CKAN security
> https://lists.okfn.org/mailman/listinfo/security
> https://lists.okfn.org/mailman/options/security/adria.mercader%40okfn.org
>
> Repo: https://github.com/ckan/ckan-security
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.okfn.org/mailman/private/security/attachments/20170104/075d1e86/attachment-0001.html>