Combination View Flat View Tree View
Threads [ Previous | Next ]
toggle
Julio Varela Gómez
Vulnerability: CRLF injection in Liferay 6.1.0
September 26, 2012 7:39 AM
Answer

Julio Varela Gómez

Rank: Regular Member

Posts: 129

Join Date: January 14, 2008

Recent Posts

I'm working with Liferay 6.1.0 CE + Weblogic 10.3.5.
During the testing of the application with Acunetix Security Tool version 8. It detects the CRLF injection vulnerability.
This vulnerability has been detected in weblogic but not detected in Tomcat. The Tomcat server that comes with the package of Liferay, filtered the CR and LF characters in HTTP headers.
Do you know where to correct this?

CRLF injection/HTTP response splitting

This vulnerability affects /.

Discovered by: Scripting (CRLF_Injection.script).

Attack details

Path Fragment input .x was set to SomeCustomInjectedHeader:injected_by_wvs
Injected header found:

SomeCustomInjectedHeader: injected_by_wvs

HTML Response:

This document you requested has moved temporarily.

It's now at http://XXXXXXXXXXXXXXXXXXXXXXXXXXXXX/web/d.x
SomeCustomInjectedHeader:injected_by_wvs/fiscais-actualidad/-/asset_publishe
r/M50j/content/novo-portal-de-estatisticas-xudiciais-do-ine/maximized
<http://XXXXXXXXXXXXXXXXXXXXXXXXXXX/web/d.x%20SomeCustomInjectedHeader:inje
cted_by_wvs/fiscais-actualidad/-/asset_publisher/M50j/content/novo-portal-de
-estatisticas-xudiciais-do-ine/maximized> .


Is it possible for a remote attacker to inject custom HTTP headers. For
example, an attacker can inject session cookies or HTML code. This may
conduct to vulnerabilities like XSS (cross-site scripting) or session
fixation.

You need to restrict CR(0x13) and LF(0x10) from the user input or properly
encode the output in order to prevent the injection of custom HTTP headers.
Amos Fong
RE: Vulnerability: CRLF injection in Liferay 6.1.0
September 26, 2012 11:07 PM
Answer

Amos Fong

LIFERAY STAFF

Rank: Liferay Legend

Posts: 1896

Join Date: October 7, 2008

Recent Posts

It probably be easiest to fix this in weblogic. Most app servers nowadays already do this.

However if you can't fix it in weblogic, in Liferay you would have to search for all references .addHeader() or .setHeader() and then sanitize the input. I think other response data is also vulnerable too like addCookie(). So this might be a hard task to do.
Julio Varela Gómez
RE: Vulnerability: CRLF injection in Liferay 6.1.0
December 28, 2012 12:34 AM
Answer

Julio Varela Gómez

Rank: Regular Member

Posts: 129

Join Date: January 14, 2008

Recent Posts

Ahead weblogic server, We have a Apache. In the Apache virtual host configuration we have included a RewriteCond rule, with its corresponding redirection.

RewriteCond %{THE_REQUEST} ^.*(\\r|\\n|%0A|%0D).*
RewriteRule .* /xxxxxxx/xxxxxxx/inicio? [R,L]


And vulnerability resolved.