Forum OpenACS Q&A: HTTP Response Splitting Attacks

Request notifications

Collapse
Posted by Brian Fenton on
Hi,

A client has just reported their system as vulnerable to "HTTP Response Splitting Attacks" during a security audit they had done.

I see there is already a bug report here: http://www.openacs.org/bugtracker/openacs/bug?format=table&bug_number=2011 but there doesn't appear to be a recent update on the bug.

On the bug report, Carsten Clasohm says "this is pretty easy to fix in OpenACS. Just check for \n and \r in ad_returnredirect, log the offending redirection target, and throw an error."

Does anyone know if it's this straight-forward? Has anybody implemented this and can confirm it works?

many thanks
Brian

Collapse
Posted by Dave Bauer on
Brian,

Is there any way you can make this change and test it with the security test you client conducted?

I have had several clients use security audits and haven't seen this issue reported before. The audit your client had done must be newer.

Collapse
Posted by Brian Fenton on
Hi Dave,

The problem is that this is an old OpenACS install (version 4.5), so I was wondering whether the issue may be resolved in more recent versions.

If I don't get any more replies, I'll implement Carsten's recommendations, and we'll see if that resolves the issue. But it would be good to hear other's experiences.

thanks
Brian