http response splitting vulnerability

Kurt Hansen khansen at charityweb.net
Wed Aug 5 06:58:46 MSD 2009


Hello,

Our server is checked each day by McAffee to see if there are any 
vulnerabilities.

It found one that I'm not sure what to do. Here's the description from 
McAfee:

 >>QUOTE
HTTP response splitting is the ability for an attacker to modify the 
headers of an HTTP response due to lack of input validation on requests 
that are sent to the application server.

A vulnerable web application or web server allows the user to insert a 
Carriage Return (%0D or \r) and/or a Line Feed (%0A or \n) into the 
headers of an HTTP response. This is usually done by sending modified 
requests to the web application and the web application responding with 
the user supplied data being inserted into a header. The attacker then 
constructs and attack using a CRLF (Carriage Return-Line Feed) attack 
that has the client interpret the data as 2 separate responses.
<<END QUOTE

Here's the proposed solution:

 >>QUOTE
All input that is sent to a web application should not be trusted and 
should be assumed malicious. Characters such as Carriage Return (CR) and 
Line Feed (LF) should be removed from all requests before being 
interpreted by the web application server.

An attacker can also use encoded Carriage Returns and Line Feeds to 
exploit the web server, and user-specified Carriage Returns and Line 
Feeds serve no business purpose on a web server. Filter the following 
characters from all user supplied input:

%0D
%0A
%0D%0A
\r
\n
\r\n
<<END QUOTE


How can I implement this fix in nginx? I'm using it as a reverse proxy.

Thanks!

Take care,

Kurt Hansen





More information about the nginx mailing list