Home
About Download Documentation Wiki Forums Contribute Support
The Toolkit for Online Communities
15938 Community Members, 0 members online, 2100 visitors today 		Log In Register

Forum OpenACS Q&A: HTTP Response Splitting Attacks

OpenACS Home : Forums : OpenACS Q&A : HTTP Response Splitting Attacks

Icon of Envelope Request notifications

+
1: HTTP Response Splitting Attacks
Posted by Brian Fenton on 07/14/09 01:35 PM
Hi,

A client has just reported their system as vulnerable to "HTTP Response Splitting Attacks" during a security audit they had done.

I see there is already a bug report here: http://www.openacs.org/bugtracker/openacs/bug?format=table&bug_number=2011 but there doesn't appear to be a recent update on the bug.

On the bug report, Carsten Clasohm says "this is pretty easy to fix in OpenACS. Just check for \n and \r in ad_returnredirect, log the offending redirection target, and throw an error."

Does anyone know if it's this straight-forward? Has anybody implemented this and can confirm it works?

many thanks
Brian

+
2: Re: HTTP Response Splitting Attacks (response to 1)
Posted by Dave Bauer on 07/14/09 01:44 PM
Brian,

Is there any way you can make this change and test it with the security test you client conducted?

I have had several clients use security audits and haven't seen this issue reported before. The audit your client had done must be newer.

+
3: Re: HTTP Response Splitting Attacks (response to 2)
Posted by Brian Fenton on 07/14/09 01:53 PM
Hi Dave,

The problem is that this is an old OpenACS install (version 4.5), so I was wondering whether the issue may be resolved in more recent versions.

If I don't get any more replies, I'll implement Carsten's recommendations, and we'll see if that resolves the issue. But it would be good to hear other's experiences.

thanks
Brian

This website is maintained by the OpenACS Community. Any problems, email webmaster or Submit a bug report.