Security
HTTP response splitting
HTTP response splitting (HRS) is a technique that attackers can use to inject their own content into a web page. It exploits the way that HTTP delimits the boundary between its headers and the page content. It also is an example of that classic web application security bugaboo: improper filtering of user input.
The basic idea is that by injecting one or more carriage-return line-feed (CRLF) sequences into the output that a vulnerable web application returns, an attacker can control what goes to the victim's web browser. The HTTP response from a web server contains two parts: the headers that describe the content and the body which contains the HTML for the page. Each header is delimited by one CRLF and the header section is set off from the body by two CRLFs. It looks something like:
Date: Fri, 17 Oct 2008 14:31:58 GMT
Server: Apache
Expires: -1
Content-Length: 13355
Connection: close
Content-Type: text/html; charset=iso-8859-1
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
...
Where the first section is the headers, followed by the start of the HTML
content.
The headers above are generated by the LWN web server directly, but sometimes headers can contain information that comes from a user's request, often in the form of cookies or redirections. If an attacker can sneak an extra CRLF or two into a header he controls, he can effectively create new header lines, or inject his own body content.
Typically this is done by using the URL-encoding values for CR and LF: %0d and %0a. If the web application is not careful to check for and filter those characters, the HTTP response can be split. If, for example, the value of the name variable is set into a cookie using code like:
Response.Cookies["userName"].Value = request["name"];
then a name like
"jake%0d%0a%0d%0a<html>surprise!</html>" could
lead to some rather unexpected results. Obviously this is relatively
benign, and only impacts someone who sets their name that way, but
it does start to give an idea of the power of HRS. Incidentally, the code
above is not random, it is adapted from that used to demonstrate a recent Mono HRS
vulnerability.
If one can only inject headers into one's own session, it hardly merits mention, but there are ways for an attacker to inject into a victim's browser stream. Perhaps the simplest is just by passing a parameter in the URL in time-honored fashion: http://some.vulnerable.site/app?name="...". If the attacker can get the victim to follow that link, they can control headers and body of what gets returned by the server. Depending on the application, persistent versions, where a redirection URL, for example, was stored in a database, might be another way for an attacker to exploit HRS.
HRS is not new, Amit Klein first described it [PDF] in 2004, but it does keep cropping up. As described in Klein's paper, it can be used for cross-site scripting (XSS), web cache poisoning, web site hijacking, and other nefarious activities. More recently, Jeremiah Grossman found HRS vulnerabilities to be surprisingly widespread. He was also surprised at the variety and nastiness of the effects of HRS vulnerabilities.
HRS is not as well known as some of the other web application flaws, but it is a serious problem that needs to be considered when building or auditing such applications. Hopefully, we are starting to see some decline in the number of SQL injection, XSS, and other higher profile vulnerabilities, which may mean that attackers start looking towards the more obscure for exploitation. In what is likely to be a never-ending battle for control of our web applications, getting out ahead of the attacker community can only be a good thing.
New vulnerabilities
cups: denial of service
| Package(s): | cups | CVE #(s): | CVE-2007-4045 | ||||
| Created: | October 16, 2008 | Updated: | October 22, 2008 | ||||
| Description: | CUPS has a denial of service vulnerability. The
vulnerability database entry states:
The CUPS service, as used in SUSE Linux before 20070720 and other Linux distributions, allows remote attackers to cause a denial of service via unspecified vectors related to an incomplete fix for CVE-2007-0720 that introduced a different denial of service problem in SSL negotiation. | ||||||
| Alerts: |
| ||||||
drupal: session hijacking vulnerability
| Package(s): | drupal | CVE #(s): | CVE-2008-3661 | ||||||||||||||||
| Created: | October 16, 2008 | Updated: | May 4, 2009 | ||||||||||||||||
| Description: | Drupal has a session hijacking vulnerability. From the
Red Hat bug report:
Drupal, probably 5.10 and 6.4, does not set the secure flag for the session cookie in an https session, which can cause the cookie to be sent in http requests and make it easier for remote attackers to capture this cookie. | ||||||||||||||||||
| Alerts: |
| ||||||||||||||||||
jhead: buffer overflow
| Package(s): | jhead | CVE #(s): | CVE-2008-4575 | ||||||||||||||||||||||||
| Created: | October 21, 2008 | Updated: | March 5, 2009 | ||||||||||||||||||||||||
| Description: | From the CVE entry: Buffer overflow in the DoCommand function in jhead before 2.84 might allow context-dependent attackers to cause a denial of service (crash) via (1) a long -cmd argument and (2) possibly other unspecified vectors. | ||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||
kernel: memory corruption
| Package(s): | linux-2.6.24 | CVE #(s): | CVE-2008-3831 | ||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | October 17, 2008 | Updated: | June 25, 2009 | ||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | Olaf Kirch discovered an issue with the i915 driver that may allow local users to cause memory corruption by use of an ioctl with insufficient privilege restrictions. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||
kernel: denial of service
| Package(s): | kernel | CVE #(s): | CVE-2008-3528 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | October 21, 2008 | Updated: | June 25, 2009 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | From the CVE entry: The error-reporting functionality in (1) fs/ext2/dir.c, (2) fs/ext3/dir.c, and possibly (3) fs/ext4/dir.c in the Linux kernel 2.6.26.5 does not limit the number of printk console messages that report directory corruption, which allows physically proximate attackers to cause a denial of service (temporary system hang) by mounting a filesystem that has corrupted dir->i_size and dir->i_blocks values and performing (a) read or (b) write operations. NOTE: there are limited scenarios in which this crosses privilege boundaries. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
kernel: denial of service
| Package(s): | kernel | CVE #(s): | CVE-2008-4576 | ||||||||||||||||||||||||||||||||||||||||||||
| Created: | October 21, 2008 | Updated: | January 22, 2009 | ||||||||||||||||||||||||||||||||||||||||||||
| Description: | From the CVE entry: sctp in Linux kernel before 2.6.25.18 allows remote attackers to cause a denial of service (OOPS) via an INIT-ACK that states the peer does not support AUTH, which causes the sctp_process_init function to clean up active transports and triggers the OOPS when the T1-Init timer expires. | ||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||
libxml2: denial of service
| Package(s): | libxml2 | CVE #(s): | CVE-2008-4409 | ||||||||
| Created: | October 16, 2008 | Updated: | December 2, 2008 | ||||||||
| Description: | libxml2 has a denial of service vulnerability. From the Mandriva
alert:
libxml2 version 2.7.0 and 2.7.1 did not properly handle predefined entities definitions in entities, which allowed context-dependent attackers to cause a denial of service (memory consumption and application crash) via certain XML documents (CVE-2008-4409). | ||||||||||
| Alerts: |
| ||||||||||
mantis: insecure cookies
| Package(s): | mantis | CVE #(s): | CVE-2008-3102 | ||||||||||||
| Created: | October 21, 2008 | Updated: | December 2, 2008 | ||||||||||||
| Description: | From the CVE entry: Mantis 1.1.x through 1.1.2 and 1.2.x through 1.2.0a2 does not set the secure flag for the session cookie in an https session, which can cause the cookie to be sent in http requests and make it easier for remote attackers to capture this cookie. | ||||||||||||||
| Alerts: |
| ||||||||||||||
neon: denial of service
| Package(s): | neon | CVE #(s): | CVE-2008-3746 | ||||||||||||
| Created: | October 16, 2008 | Updated: | September 22, 2009 | ||||||||||||
| Description: | Neon has a denial of service vulnerability. From the
Red Hat bug report:
A NULL pointer deference in the Digest authentication support in neon versions 0.28.0 through 0.28.2 inclusive allows a malicious server to crash a client application, resulting in possible denial of service. | ||||||||||||||
| Alerts: |
| ||||||||||||||
php-smarty: regex handling
| Package(s): | php-Smarty | CVE #(s): | |||||||||
| Created: | October 22, 2008 | Updated: | October 22, 2008 | ||||||||
| Description: | php-smarty 2.6.20 fixes checking of /e tags on regular expressions, closing an a potential code execution vulnerability. | ||||||||||
| Alerts: |
| ||||||||||
qemu: insecure temporary files
| Package(s): | qemu | CVE #(s): | CVE-2008-4553 | ||||
| Created: | October 21, 2008 | Updated: | October 22, 2008 | ||||
| Description: | From the Debian advisory: Dmitry E. Oboukhov discovered that the qemu-make-debian-root script in qemu, fast processor emulator, creates temporary files insecurely, which may lead to a local denial of service through symlink attacks. | ||||||
| Alerts: |
| ||||||
Page editor: Jonathan Corbet
Next page:
Kernel development>>