Forum OpenACS Q&A: HTTP Response Splitting Attacks

Posted by Brian Fenton on 07/14/09 01:35 PM

Hi,

A client has just reported their system as vulnerable to "HTTP Response Splitting Attacks" during a security audit they had done.

I see there is already a bug report here: http://www.openacs.org/bugtracker/openacs/bug?format=table&bug_number=2011 but there doesn't appear to be a recent update on the bug.

On the bug report, Carsten Clasohm says "this is pretty easy to fix in OpenACS. Just check for \n and \r in ad_returnredirect, log the offending redirection target, and throw an error."

Does anyone know if it's this straight-forward? Has anybody implemented this and can confirm it works?

many thanks
Brian

2: Re: HTTP Response Splitting Attacks (response to 1)

Posted by Dave Bauer on 07/14/09 01:44 PM

Brian,

Is there any way you can make this change and test it with the security test you client conducted?

I have had several clients use security audits and haven't seen this issue reported before. The audit your client had done must be newer.

3: Re: HTTP Response Splitting Attacks (response to 2)

Posted by Brian Fenton on 07/14/09 01:53 PM

Hi Dave,

The problem is that this is an old OpenACS install (version 4.5), so I was wondering whether the issue may be resolved in more recent versions.

If I don't get any more replies, I'll implement Carsten's recommendations, and we'll see if that resolves the issue. But it would be good to hear other's experiences.

thanks
Brian