HTTP: URL Header Injection

This signature detects attempts to exploit an input validation vulnerability in HTTP. Attackers can use encoded CR/LF (carriage return/line feed) characters in an HTTP response header to split HTTP responses into multiple parts, enabling them to misrepresent Web content to the recipient.

Extended Description

A paper (Divide and Conquer - HTTP Response Splitting, Web Cache Poisoning Attacks, and Related Topics) was released to describe various attacks that target web users through web application, browser, web/application server and proxy implementations. These attacks are described under the general category of HTTP Response Splitting and involve abusing various input validation flaws in these implementations to split HTTP responses into multiple parts in such a way that response data may be misrepresented to client users. Exploitation would occur by injecting variations of CR/LF sequences into parts of HTTP response headers that the attacker may control or influence. The general consequences of exploitation are that an attacker may misrepresent web content to the client, potentially enticing the user to trust the content and take actions based on this false trust. While the various implementations listed in the paper contribute to these attacks, this issue will most likely be exposed through web applications that do not properly account for CR/LF sequences when accepting user-supplied input that may be returned in server responses. This vulnerability could also aid in exploitation of cross-site scripting vulnerabilities.

Affected Products

Netapp netcache,Apache_software_foundation apache

References

BugTraq: 9804

Short Name

HTTP:REQERR:HEADER-INJECT

Severity

Minor

Recommended

False

Recommended Action

None

HTTP: URL Header Injection

Extended Description

Affected Products

References

Found a potential security threat?