[CKAN-Security] Fwd: HTTP Response Splitting vulnerability

• Previous message: [CKAN-Security] Fwd: HTTP Response Splitting vulnerability
• Next message: [CKAN-Security] Fwd: HTTP Response Splitting vulnerability
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Oh, because the language toggle uses a drop-down to navigate to a new
page. We could avoid the JS requirement by using links instead of a
drop-down (Drop downs that navigate aren't considered accessible, so
we've overridden this bit of the template anyway)

I vote for the simple fix, just filter out anything that could break
an HTTP header line. That's easiest to backport too.

On Wed, Jan 4, 2017 at 8:01 AM, Adrià Mercader <adria.mercader at okfn.org> wrote:
> The only one I can think of is wanting to support disabled JS, as
> redirecting on the client when an option is selected is trivial.
>
>
> Adrià
>
> On 3 January 2017 at 15:36, David Read <david.read at hackneyworkshop.com>
> wrote:
>>
>> Ian,
>> Good question. I'm afraid I've not looked at the details.
>> Dave
>>
>> On 3 January 2017 at 15:32, Ian Ward <ian at excess.org> wrote:
>> > I wonder if that's what's breaking my search parameters when toggling
>> > languages.. Is there a reason the language selector can't just link to
>> > the correct url?
>> >
>> > On Tue, Jan 3, 2017 at 10:29 AM, David Read
>> > <david.read at hackneyworkshop.com> wrote:
>> >> I think it is used by the language selector. I persuaded someone to
>> >> add in a domain check, so it doesn't redirect to other sites, so it's
>> >> not 'open', but it's still not great.
>> >>
>> >> D
>> >>
>> >> On 3 January 2017 at 15:22, Ian Ward <ian at excess.org> wrote:
>> >>> Hmm. What's the reason we have an open redirect in the first place?
>> >>>
>> >>> On Tue, Jan 3, 2017 at 4:37 AM, David Read
>> >>> <david.read at hackneyworkshop.com> wrote:
>> >>>> ---------- Forwarded message ----------
>> >>>> From: Víctor García Guillén <vgarciag at gmail.com>
>> >>>> Date: 3 January 2017 at 08:48
>> >>>> Subject: Re: [CKAN-Security] HTTP Response Splitting vulnerability
>> >>>> To: David Read <david.read at hackneyworkshop.com>
>> >>>>
>> >>>>
>> >>>> Hi,
>> >>>>
>> >>>>    the test is a simply curl, you can test it against our
>> >>>> preproduction Ckan site:
>> >>>>
>> >>>> curl -k -I
>> >>>> "https://opendata-pre.vlci.valencia.es:8443/util/redirect?url=%0d%0a%20HeaderInjection:owned"
>> >>>>
>> >>>>    In the response headers the injected header (" HeaderInjection")
>> >>>> is
>> >>>> shown returned by server.
>> >>>>
>> >>>>    I try to check if in the Ckan demo site occurs the same but it
>> >>>> returns an error 500:
>> >>>>
>> >>>> curl -I
>> >>>> "http://demo.ckan.org/util/redirect?url=%0d%0a%20HeaderInjection%3aowned"
>> >>>>
>> >>>> Regards
>> >>>>
>> >>>> 2017-01-02 10:33 GMT+01:00 Víctor García Guillén
>> >>>> <vgarciag at gmail.com>:
>> >>>>>
>> >>>>> Hi David,
>> >>>>>
>> >>>>>    sorry for the delay in responding. Today I write to the security
>> >>>>> team because in the report explains the vulnerability but not the test that
>> >>>>> discover this issue.
>> >>>>>
>> >>>>>    As soon as I have this information I submit it.
>> >>>>>
>> >>>>>    Regards and happy new year.
>> >>>>>
>> >>>>> 2016-12-22 10:52 GMT+01:00 David Read
>> >>>>> <david.read at hackneyworkshop.com>:
>> >>>>>>
>> >>>>>> Victor,
>> >>>>>>
>> >>>>>> Thanks for highlighting a potential CRLF vulnerability. Can you ask
>> >>>>>> your auditors for the specifics of how to demonstrate the issue?
>> >>>>>> This
>> >>>>>> should be included in your test report.
>> >>>>>>
>> >>>>>> David
>> >>>>>>
>> >>>>>> On 22 December 2016 at 09:52, David Read
>> >>>>>> <david.read at hackneyworkshop.com> wrote:
>> >>>>>> > Victor,
>> >>>>>> >
>> >>>>>> > Thanks for highlighting a potential CRLF vulnerability. Can you
>> >>>>>> > ask
>> >>>>>> > your auditors for the specifics of how to demonstrate the issue?
>> >>>>>> > This
>> >>>>>> > should be included in your test report.
>> >>>>>> >
>> >>>>>> > David
>> >>>>>> >
>> >>>>>> > On 19 December 2016 at 10:23, Víctor García Guillén
>> >>>>>> > <vgarciag at gmail.com> wrote:
>> >>>>>> >> Hi,
>> >>>>>> >>
>> >>>>>> >>    I recently Open an issue in the CKAN Github. It was closed
>> >>>>>> >> and in the
>> >>>>>> >> comment refer me to write to this email.
>> >>>>>> >>
>> >>>>>> >>    The content of this issue is:
>> >>>>>> >>
>> >>>>>> >> In a recent security audit of our CKAN server we have security
>> >>>>>> >> vulnerability
>> >>>>>> >> related to the http headers.
>> >>>>>> >>
>> >>>>>> >> This seccurity vulnerability is related to a HTTP Response
>> >>>>>> >> Splitting
>> >>>>>> >>
>> >>>>>> >> This vulnerability is more datailed here
>> >>>>>> >>
>> >>>>>> >> https://prakharprasad.com/crlf-injection-http-response-splitting-explained/.
>> >>>>>> >>
>> >>>>>> >> To fix this issue there are several ways but the better way is
>> >>>>>> >> to sanitize
>> >>>>>> >> the http headers in
>> >>>>>> >> the CKAN code as is explained here in this Java code:
>> >>>>>> >>
>> >>>>>> >> http://stackoverflow.com/questions/16439618/how-to-fix-the-http-response-splitting-vulnerability-with-esapi
>> >>>>>> >>
>> >>>>>> >>
>> >>>>>> >>    Please comment me if you need more information to ask to the
>> >>>>>> >> security
>> >>>>>> >> auditors.
>> >>>>>> >>
>> >>>>>> >>  Regards
>> >>>>>> >>
>> >>>>>> >> _______________________________________________
>> >>>>>> >> CKAN security
>> >>>>>> >> https://lists.okfn.org/mailman/listinfo/security
>> >>>>>> >>
>> >>>>>> >> https://lists.okfn.org/mailman/options/security/david.read%40hackneyworkshop.com
>> >>>>>> >>
>> >>>>>> >> Repo: https://github.com/ckan/ckan-security
>> >>>>>
>> >>>>>
>> >>>> _______________________________________________
>> >>>> CKAN security
>> >>>> https://lists.okfn.org/mailman/listinfo/security
>> >>>> https://lists.okfn.org/mailman/options/security/ian%40excess.org
>> >>>>
>> >>>> Repo: https://github.com/ckan/ckan-security
>> >>> _______________________________________________
>> >>> CKAN security
>> >>> https://lists.okfn.org/mailman/listinfo/security
>> >>>
>> >>> https://lists.okfn.org/mailman/options/security/david.read%40hackneyworkshop.com
>> >>>
>> >>> Repo: https://github.com/ckan/ckan-security
>> >> _______________________________________________
>> >> CKAN security
>> >> https://lists.okfn.org/mailman/listinfo/security
>> >> https://lists.okfn.org/mailman/options/security/ian%40excess.org
>> >>
>> >> Repo: https://github.com/ckan/ckan-security
>> > _______________________________________________
>> > CKAN security
>> > https://lists.okfn.org/mailman/listinfo/security
>> >
>> > https://lists.okfn.org/mailman/options/security/david.read%40hackneyworkshop.com
>> >
>> > Repo: https://github.com/ckan/ckan-security
>> _______________________________________________
>> CKAN security
>> https://lists.okfn.org/mailman/listinfo/security
>> https://lists.okfn.org/mailman/options/security/adria.mercader%40okfn.org
>>
>> Repo: https://github.com/ckan/ckan-security
>
>
>
> _______________________________________________
> CKAN security
> https://lists.okfn.org/mailman/listinfo/security
> https://lists.okfn.org/mailman/options/security/ian%40excess.org
>
> Repo: https://github.com/ckan/ckan-security

• Previous message: [CKAN-Security] Fwd: HTTP Response Splitting vulnerability
• Next message: [CKAN-Security] Fwd: HTTP Response Splitting vulnerability
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]