[Forgot Password]
Login  Register Subscribe

23631

 
 

115083

 
 

97147

 
 

909

 
 

78730

 
 

109

Paid content will be excluded from the download.


Download | Alert*
CWE
view XML

Improper Neutralization of CRLF Sequences ('CRLF Injection')

ID: 93Date: (C)2012-05-14   (M)2017-11-16
Type: weaknessStatus: DRAFT
Abstraction Type: Base





Description

The software uses CRLF (carriage return line feeds) as a special element, e.g. to separate lines or records, but it does not neutralize or incorrectly neutralizes CRLF sequences from inputs.

Likelihood of Exploit: Medium to High

Applicable Platforms
Language Class: All

Time Of Introduction

  • Architecture and Design
  • Implementation

Related Attack Patterns

Common Consequences

ScopeTechnical ImpactNotes
Integrity
 
Modify application data
 
 

Detection Methods
None

Potential Mitigations

PhaseStrategyDescriptionEffectivenessNotes
Implementation
 
 Avoid using CRLF as a special sequence.
 
  
Implementation
 
 Appropriately filter or quote CRLF sequences in user-controlled input.
 
  

Relationships

Related CWETypeViewChain
CWE-93 ChildOf CWE-896 Category CWE-888  

Demonstrative Examples   (Details)

  1. If user input data that eventually makes it to a log message isn't checked for CRLF characters, it may be possible for an attacker to forge entries in a log file.

Observed Examples

  1. CVE-2002-1771 : CRLF injection enables spam proxy (add mail headers) using email address or name.
  2. CVE-2002-1783 : CRLF injection in API function arguments modify headers for outgoing requests.
  3. CVE-2004-1513 : Spoofed entries in web server log file via carriage returns
  4. CVE-2006-4624 : Chain: inject fake log entries with fake timestamps using CRLF injection
  5. CVE-2005-1951 : Chain: Application accepts CRLF in an object ID, allowing HTTP response splitting.
  6. CVE-2004-1687 : Chain: HTTP response splitting via CRLF in parameter related to URL.

For more examples, refer to CVE relations in the bottom box.

White Box Definitions
None

Black Box Definitions
None

Taxynomy Mappings

TaxynomyIdNameFit
PLOVER  CRLF Injection
 
 
OWASP Top Ten 2007 A2
 
Injection Flaws
 
CWE_More_Specific
 
WASC 24
 
HTTP Request Splitting
 
 

References:

  1. Ulf Harnhammar .CRLF Injection. Bugtraq. 2002-05-07.

© 2013 SecPod Technologies