By Jake Edge
October 17, 2008
HTTP response splitting (HRS) is a technique that attackers can use to
inject their own content into a web page. It exploits the way that HTTP
delimits the boundary between its headers and the page content. It also is
an example of that classic web application security bugaboo: improper
filtering of user input.
The basic idea is that by injecting one or more carriage-return line-feed
(CRLF) sequences into the output that a vulnerable web application returns, an
attacker can control what goes to the victim's web browser. The HTTP
response from a web server contains two parts: the headers that describe
the content and the body which contains the HTML for the page.
Each header is delimited by one CRLF and the header section is set off from
the body by two CRLFs. It looks something like:
Date: Fri, 17 Oct 2008 14:31:58 GMT
Server: Apache
Expires: -1
Content-Length: 13355
Connection: close
Content-Type: text/html; charset=iso-8859-1
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
...
Where the first section is the headers, followed by the start of the HTML
content.
The headers above are generated by the LWN web server directly, but
sometimes headers can contain information that comes from a user's
request, often in the form of cookies or redirections. If an attacker can
sneak an extra CRLF or two into a header he controls, he can effectively
create new header lines, or inject his own body content.
Typically this is done by using the URL-encoding values for CR and LF:
%0d and %0a. If the web application is not careful to
check for and filter those characters, the HTTP response can be split. If,
for example, the value of the name variable is set into a cookie
using code like:
Response.Cookies["userName"].Value = request["name"];
then a name like
"
jake%0d%0a%0d%0a<html>surprise!</html>" could
lead to some rather unexpected results. Obviously this is relatively
benign, and only impacts someone who sets their
name that way, but
it does start to give an idea of the power of HRS. Incidentally, the code
above is not random, it is adapted from that used to demonstrate a recent
Mono HRS
vulnerability.
If one can only inject headers into one's own session, it hardly merits
mention, but there are ways for an attacker to inject into a victim's
browser stream. Perhaps the simplest is just by passing a parameter in the
URL in time-honored fashion:
http://some.vulnerable.site/app?name="...". If the attacker can
get the victim to follow that link, they can control headers and body of
what gets returned by the server. Depending on the application, persistent
versions, where a redirection URL, for example, was stored in a database,
might be another way for an attacker to exploit HRS.
HRS is not new, Amit Klein first described
it [PDF] in 2004, but it does keep cropping up. As described in
Klein's paper, it can be used for cross-site scripting (XSS), web cache
poisoning, web site hijacking, and other nefarious activities. More
recently, Jeremiah Grossman found
HRS vulnerabilities to be surprisingly widespread. He was also
surprised at the variety and nastiness of the effects of HRS vulnerabilities.
HRS is not as well known as some of the other web application flaws, but it
is a serious problem that needs to be considered when building or auditing
such applications. Hopefully, we are starting to see some decline in the
number of SQL injection, XSS, and other higher profile vulnerabilities,
which may mean that attackers start looking towards the more obscure for
exploitation. In what is likely to be a never-ending battle for control of
our web applications, getting out ahead of the attacker community can only
be a good thing.
Comments (1 posted)
New vulnerabilities
cups: denial of service
| Package(s): | cups |
CVE #(s): | CVE-2007-4045
|
| Created: | October 16, 2008 |
Updated: | October 22, 2008 |
| Description: |
CUPS has a denial of service vulnerability. The
vulnerability database entry states:
The CUPS service, as used in SUSE Linux before 20070720 and other Linux distributions, allows remote attackers to cause a denial of service via unspecified vectors related to an incomplete fix for CVE-2007-0720 that introduced a different denial of service problem in SSL negotiation. |
| Alerts: |
|
Comments (none posted)
drupal: session hijacking vulnerability
| Package(s): | drupal |
CVE #(s): | CVE-2008-3661
|
| Created: | October 16, 2008 |
Updated: | May 4, 2009 |
| Description: |
Drupal has a session hijacking vulnerability. From the
Red Hat bug report:
Drupal, probably 5.10 and 6.4, does not set the secure flag for the session
cookie in an https session, which can cause the cookie to be sent in http
requests and make it easier for remote attackers to capture this cookie. |
| Alerts: |
|
Comments (none posted)
jhead: buffer overflow
| Package(s): | jhead |
CVE #(s): | CVE-2008-4575
|
| Created: | October 21, 2008 |
Updated: | March 5, 2009 |
| Description: |
From the CVE entry: Buffer overflow in the DoCommand function in jhead
before 2.84 might allow context-dependent attackers to cause a denial of
service (crash) via (1) a long -cmd argument and (2) possibly other
unspecified vectors. |
| Alerts: |
| Fedora |
FEDORA-2009-1776 |
jhead |
2009-02-17 |
| Mandriva |
MDVSA-2009:041 |
jhead |
2009-02-17 |
| Gentoo |
200901-02 |
jhead |
2009-01-11 |
| SuSE |
SUSE-SR:2009:001 |
ethereal/wireshark, mysql, imap, rsyslog, courier-authlib, nfs-utils, libxml2, python, jhead, git, samba, vinagre, opera |
2009-01-12 |
| Fedora |
FEDORA-2008-8941 |
jhead |
2008-10-20 |
| Fedora |
FEDORA-2008-8928 |
jhead |
2008-10-20 |
|
Comments (none posted)
kernel: memory corruption
| Package(s): | linux-2.6.24 |
CVE #(s): | CVE-2008-3831
|
| Created: | October 17, 2008 |
Updated: | June 25, 2009 |
| Description: |
Olaf Kirch discovered an issue with the i915 driver that may allow local users to cause memory corruption by use of an ioctl with insufficient privilege restrictions.
|
| Alerts: |
|
Comments (none posted)
kernel: denial of service
| Package(s): | kernel |
CVE #(s): | CVE-2008-3528
|
| Created: | October 21, 2008 |
Updated: | June 25, 2009 |
| Description: |
From the CVE entry: The error-reporting functionality in (1) fs/ext2/dir.c,
(2) fs/ext3/dir.c, and possibly (3) fs/ext4/dir.c in the Linux kernel
2.6.26.5 does not limit the number of printk console messages that report
directory corruption, which allows physically proximate attackers to cause
a denial of service (temporary system hang) by mounting a filesystem that
has corrupted dir->i_size and dir->i_blocks values and performing (a) read
or (b) write operations. NOTE: there are limited scenarios in which this
crosses privilege boundaries. |
| Alerts: |
|
Comments (none posted)
kernel: denial of service
| Package(s): | kernel |
CVE #(s): | CVE-2008-4576
|
| Created: | October 21, 2008 |
Updated: | January 22, 2009 |
| Description: |
From the CVE entry: sctp in Linux kernel before 2.6.25.18 allows remote
attackers to cause a denial of service (OOPS) via an INIT-ACK that states
the peer does not support AUTH, which causes the sctp_process_init function
to clean up active transports and triggers the OOPS when the T1-Init timer
expires. |
| Alerts: |
|
Comments (none posted)
libxml2: denial of service
| Package(s): | libxml2 |
CVE #(s): | CVE-2008-4409
|
| Created: | October 16, 2008 |
Updated: | December 2, 2008 |
| Description: |
libxml2 has a denial of service vulnerability. From the Mandriva
alert:
libxml2 version 2.7.0 and 2.7.1 did not properly handle predefined
entities definitions in entities, which allowed context-dependent
attackers to cause a denial of service (memory consumption and
application crash) via certain XML documents (CVE-2008-4409). |
| Alerts: |
|
Comments (none posted)
mantis: insecure cookies
| Package(s): | mantis |
CVE #(s): | CVE-2008-3102
|
| Created: | October 21, 2008 |
Updated: | December 2, 2008 |
| Description: |
From the CVE entry: Mantis 1.1.x through 1.1.2 and 1.2.x through 1.2.0a2
does not set the secure flag for the session cookie in an https session,
which can cause the cookie to be sent in http requests and make it easier
for remote attackers to capture this cookie. |
| Alerts: |
|
Comments (none posted)
neon: denial of service
| Package(s): | neon |
CVE #(s): | CVE-2008-3746
|
| Created: | October 16, 2008 |
Updated: | September 22, 2009 |
| Description: |
Neon has a denial of service vulnerability. From the
Red Hat bug report:
A NULL pointer deference in the Digest authentication support in neon
versions 0.28.0 through 0.28.2 inclusive allows a malicious server to
crash a client application, resulting in possible denial of service. |
| Alerts: |
|
Comments (none posted)
php-smarty: regex handling
| Package(s): | php-Smarty |
CVE #(s): | |
| Created: | October 22, 2008 |
Updated: | October 22, 2008 |
| Description: |
php-smarty 2.6.20 fixes checking of /e tags on regular expressions, closing an a potential code execution vulnerability. |
| Alerts: |
|
Comments (none posted)
qemu: insecure temporary files
| Package(s): | qemu |
CVE #(s): | CVE-2008-4553
|
| Created: | October 21, 2008 |
Updated: | October 22, 2008 |
| Description: |
From the Debian advisory: Dmitry E. Oboukhov discovered that the qemu-make-debian-root script in qemu, fast processor emulator, creates temporary files insecurely, which may lead to a local denial of service through symlink attacks.
|
| Alerts: |
|
Comments (none posted)
Page editor: Jonathan Corbet
Next page:
Kernel development>>
LWN