Improper Neutralization of CRLF Sequences ('CRLF Injection')ID: 93 | Date: (C)2012-05-14 (M)2022-10-10 |
Type: weakness | Status: DRAFT |
Abstraction Type: Base |
Description
The software uses CRLF (carriage return line feeds) as a
special element, e.g. to separate lines or records, but it does not neutralize
or incorrectly neutralizes CRLF sequences from inputs.
Likelihood of Exploit: Medium to High
Applicable PlatformsLanguage Class: All
Time Of Introduction
- Architecture and Design
- Implementation
Related Attack Patterns
Common Consequences
Scope | Technical Impact | Notes |
---|
Integrity | Modify application
data | |
Detection MethodsNone
Potential Mitigations
Phase | Strategy | Description | Effectiveness | Notes |
---|
Implementation | | Avoid using CRLF as a special sequence. | | |
Implementation | | Appropriately filter or quote CRLF sequences in user-controlled
input. | | |
Relationships
Related CWE | Type | View | Chain |
---|
CWE-93 ChildOf CWE-896 | Category | CWE-888 | |
Demonstrative Examples (Details)
- If user input data that eventually makes it to a log message isn't
checked for CRLF characters, it may be possible for an attacker to forge
entries in a log file.
Observed Examples
- CVE-2002-1771 : CRLF injection enables spam proxy (add mail headers) using email address or name.
- CVE-2002-1783 : CRLF injection in API function arguments modify headers for outgoing requests.
- CVE-2004-1513 : Spoofed entries in web server log file via carriage returns
- CVE-2006-4624 : Chain: inject fake log entries with fake timestamps using CRLF injection
- CVE-2005-1951 : Chain: Application accepts CRLF in an object ID, allowing HTTP response splitting.
- CVE-2004-1687 : Chain: HTTP response splitting via CRLF in parameter related to URL.
For more examples, refer to CVE relations in the bottom box.
White Box Definitions None
Black Box Definitions None
Taxynomy Mappings
Taxynomy | Id | Name | Fit |
---|
PLOVER | | CRLF Injection | |
OWASP Top Ten 2007 | A2 | Injection Flaws | CWE_More_Specific |
WASC | 24 | HTTP Request Splitting | |
References:
- Ulf Harnhammar .CRLF Injection. Bugtraq. 2002-05-07.