[CKAN-Security] Fwd: HTTP Response Splitting vulnerability
Ian Ward
ian at excess.org
Sat Jan 7 03:50:21 UTC 2017
Here's a simple fix. Would love to add the /util/redirect to our list
of things that should be removed as soon as we can.
https://gitlab.com/ckan/ckan-security/commit/7af86cd530c22e1a25224fd959411eafb04f0bfd
On Wed, Jan 4, 2017 at 8:22 AM, Ian Ward <ian at excess.org> wrote:
> Oh, because the language toggle uses a drop-down to navigate to a new
> page. We could avoid the JS requirement by using links instead of a
> drop-down (Drop downs that navigate aren't considered accessible, so
> we've overridden this bit of the template anyway)
>
> I vote for the simple fix, just filter out anything that could break
> an HTTP header line. That's easiest to backport too.
>
> On Wed, Jan 4, 2017 at 8:01 AM, Adrià Mercader <adria.mercader at okfn.org> wrote:
>> The only one I can think of is wanting to support disabled JS, as
>> redirecting on the client when an option is selected is trivial.
>>
>>
>> Adrià
>>
>> On 3 January 2017 at 15:36, David Read <david.read at hackneyworkshop.com>
>> wrote:
>>>
>>> Ian,
>>> Good question. I'm afraid I've not looked at the details.
>>> Dave
>>>
>>> On 3 January 2017 at 15:32, Ian Ward <ian at excess.org> wrote:
>>> > I wonder if that's what's breaking my search parameters when toggling
>>> > languages.. Is there a reason the language selector can't just link to
>>> > the correct url?
>>> >
>>> > On Tue, Jan 3, 2017 at 10:29 AM, David Read
>>> > <david.read at hackneyworkshop.com> wrote:
>>> >> I think it is used by the language selector. I persuaded someone to
>>> >> add in a domain check, so it doesn't redirect to other sites, so it's
>>> >> not 'open', but it's still not great.
>>> >>
>>> >> D
>>> >>
>>> >> On 3 January 2017 at 15:22, Ian Ward <ian at excess.org> wrote:
>>> >>> Hmm. What's the reason we have an open redirect in the first place?
>>> >>>
>>> >>> On Tue, Jan 3, 2017 at 4:37 AM, David Read
>>> >>> <david.read at hackneyworkshop.com> wrote:
>>> >>>> ---------- Forwarded message ----------
>>> >>>> From: Víctor García Guillén <vgarciag at gmail.com>
>>> >>>> Date: 3 January 2017 at 08:48
>>> >>>> Subject: Re: [CKAN-Security] HTTP Response Splitting vulnerability
>>> >>>> To: David Read <david.read at hackneyworkshop.com>
>>> >>>>
>>> >>>>
>>> >>>> Hi,
>>> >>>>
>>> >>>> the test is a simply curl, you can test it against our
>>> >>>> preproduction Ckan site:
>>> >>>>
>>> >>>> curl -k -I
>>> >>>> "https://opendata-pre.vlci.valencia.es:8443/util/redirect?url=%0d%0a%20HeaderInjection:owned"
>>> >>>>
>>> >>>> In the response headers the injected header (" HeaderInjection")
>>> >>>> is
>>> >>>> shown returned by server.
>>> >>>>
>>> >>>> I try to check if in the Ckan demo site occurs the same but it
>>> >>>> returns an error 500:
>>> >>>>
>>> >>>> curl -I
>>> >>>> "http://demo.ckan.org/util/redirect?url=%0d%0a%20HeaderInjection%3aowned"
>>> >>>>
>>> >>>> Regards
>>> >>>>
>>> >>>> 2017-01-02 10:33 GMT+01:00 Víctor García Guillén
>>> >>>> <vgarciag at gmail.com>:
>>> >>>>>
>>> >>>>> Hi David,
>>> >>>>>
>>> >>>>> sorry for the delay in responding. Today I write to the security
>>> >>>>> team because in the report explains the vulnerability but not the test that
>>> >>>>> discover this issue.
>>> >>>>>
>>> >>>>> As soon as I have this information I submit it.
>>> >>>>>
>>> >>>>> Regards and happy new year.
>>> >>>>>
>>> >>>>> 2016-12-22 10:52 GMT+01:00 David Read
>>> >>>>> <david.read at hackneyworkshop.com>:
>>> >>>>>>
>>> >>>>>> Victor,
>>> >>>>>>
>>> >>>>>> Thanks for highlighting a potential CRLF vulnerability. Can you ask
>>> >>>>>> your auditors for the specifics of how to demonstrate the issue?
>>> >>>>>> This
>>> >>>>>> should be included in your test report.
>>> >>>>>>
>>> >>>>>> David
>>> >>>>>>
>>> >>>>>> On 22 December 2016 at 09:52, David Read
>>> >>>>>> <david.read at hackneyworkshop.com> wrote:
>>> >>>>>> > Victor,
>>> >>>>>> >
>>> >>>>>> > Thanks for highlighting a potential CRLF vulnerability. Can you
>>> >>>>>> > ask
>>> >>>>>> > your auditors for the specifics of how to demonstrate the issue?
>>> >>>>>> > This
>>> >>>>>> > should be included in your test report.
>>> >>>>>> >
>>> >>>>>> > David
>>> >>>>>> >
>>> >>>>>> > On 19 December 2016 at 10:23, Víctor García Guillén
>>> >>>>>> > <vgarciag at gmail.com> wrote:
>>> >>>>>> >> Hi,
>>> >>>>>> >>
>>> >>>>>> >> I recently Open an issue in the CKAN Github. It was closed
>>> >>>>>> >> and in the
>>> >>>>>> >> comment refer me to write to this email.
>>> >>>>>> >>
>>> >>>>>> >> The content of this issue is:
>>> >>>>>> >>
>>> >>>>>> >> In a recent security audit of our CKAN server we have security
>>> >>>>>> >> vulnerability
>>> >>>>>> >> related to the http headers.
>>> >>>>>> >>
>>> >>>>>> >> This seccurity vulnerability is related to a HTTP Response
>>> >>>>>> >> Splitting
>>> >>>>>> >>
>>> >>>>>> >> This vulnerability is more datailed here
>>> >>>>>> >>
>>> >>>>>> >> https://prakharprasad.com/crlf-injection-http-response-splitting-explained/.
>>> >>>>>> >>
>>> >>>>>> >> To fix this issue there are several ways but the better way is
>>> >>>>>> >> to sanitize
>>> >>>>>> >> the http headers in
>>> >>>>>> >> the CKAN code as is explained here in this Java code:
>>> >>>>>> >>
>>> >>>>>> >> http://stackoverflow.com/questions/16439618/how-to-fix-the-http-response-splitting-vulnerability-with-esapi
>>> >>>>>> >>
>>> >>>>>> >>
>>> >>>>>> >> Please comment me if you need more information to ask to the
>>> >>>>>> >> security
>>> >>>>>> >> auditors.
>>> >>>>>> >>
>>> >>>>>> >> Regards
>>> >>>>>> >>
>>> >>>>>> >> _______________________________________________
>>> >>>>>> >> CKAN security
>>> >>>>>> >> https://lists.okfn.org/mailman/listinfo/security
>>> >>>>>> >>
>>> >>>>>> >> https://lists.okfn.org/mailman/options/security/david.read%40hackneyworkshop.com
>>> >>>>>> >>
>>> >>>>>> >> Repo: https://github.com/ckan/ckan-security
>>> >>>>>
>>> >>>>>
>>> >>>> _______________________________________________
>>> >>>> CKAN security
>>> >>>> https://lists.okfn.org/mailman/listinfo/security
>>> >>>> https://lists.okfn.org/mailman/options/security/ian%40excess.org
>>> >>>>
>>> >>>> Repo: https://github.com/ckan/ckan-security
>>> >>> _______________________________________________
>>> >>> CKAN security
>>> >>> https://lists.okfn.org/mailman/listinfo/security
>>> >>>
>>> >>> https://lists.okfn.org/mailman/options/security/david.read%40hackneyworkshop.com
>>> >>>
>>> >>> Repo: https://github.com/ckan/ckan-security
>>> >> _______________________________________________
>>> >> CKAN security
>>> >> https://lists.okfn.org/mailman/listinfo/security
>>> >> https://lists.okfn.org/mailman/options/security/ian%40excess.org
>>> >>
>>> >> Repo: https://github.com/ckan/ckan-security
>>> > _______________________________________________
>>> > CKAN security
>>> > https://lists.okfn.org/mailman/listinfo/security
>>> >
>>> > https://lists.okfn.org/mailman/options/security/david.read%40hackneyworkshop.com
>>> >
>>> > Repo: https://github.com/ckan/ckan-security
>>> _______________________________________________
>>> CKAN security
>>> https://lists.okfn.org/mailman/listinfo/security
>>> https://lists.okfn.org/mailman/options/security/adria.mercader%40okfn.org
>>>
>>> Repo: https://github.com/ckan/ckan-security
>>
>>
>>
>> _______________________________________________
>> CKAN security
>> https://lists.okfn.org/mailman/listinfo/security
>> https://lists.okfn.org/mailman/options/security/ian%40excess.org
>>
>> Repo: https://github.com/ckan/ckan-security
More information about the Security
mailing list