http response splitting vulnerability
Kurt Hansen
khansen at charityweb.net
Thu Aug 6 06:18:44 MSD 2009
I tried the application level first. Didn't work, but your advice had me
go back and look again. That did it! I fixed it there.
Thanks!
Take care,
Kurt
Ray wrote:
> Seems like you might need to solve this at the web application level,
> unless the response splitting was done by nginx/backend server itself?
>
> Ray
>
> On Wed, Aug 5, 2009 at 10:58 AM, Kurt Hansen <khansen at charityweb.net
> <mailto:khansen at charityweb.net>> wrote:
>
> Hello,
>
> Our server is checked each day by McAffee to see if there are any
> vulnerabilities.
>
> It found one that I'm not sure what to do. Here's the description
> from McAfee:
>
> >>QUOTE
> HTTP response splitting is the ability for an attacker to modify
> the headers of an HTTP response due to lack of input validation on
> requests that are sent to the application server.
>
> A vulnerable web application or web server allows the user to
> insert a Carriage Return (%0D or \r) and/or a Line Feed (%0A or
> \n) into the headers of an HTTP response. This is usually done by
> sending modified requests to the web application and the web
> application responding with the user supplied data being inserted
> into a header. The attacker then constructs and attack using a
> CRLF (Carriage Return-Line Feed) attack that has the client
> interpret the data as 2 separate responses.
> <<END QUOTE
>
> Here's the proposed solution:
>
> >>QUOTE
> All input that is sent to a web application should not be trusted
> and should be assumed malicious. Characters such as Carriage
> Return (CR) and Line Feed (LF) should be removed from all requests
> before being interpreted by the web application server.
>
> An attacker can also use encoded Carriage Returns and Line Feeds
> to exploit the web server, and user-specified Carriage Returns and
> Line Feeds serve no business purpose on a web server. Filter the
> following characters from all user supplied input:
>
> %0D
> %0A
> %0D%0A
> \r
> \n
> \r\n
> <<END QUOTE
>
>
> How can I implement this fix in nginx? I'm using it as a reverse
> proxy.
>
> Thanks!
>
> Take care,
>
> Kurt Hansen
>
>
More information about the nginx
mailing list