Jerry Garcia created SPARK-27172: ------------------------------------ Summary: CRLF Injection/HTTP response splitting on spark embedded jetty servlet. Key: SPARK-27172 URL: https://issues.apache.org/jira/browse/SPARK-27172 Project: Spark Issue Type: Question Components: Web UI Affects Versions: 1.6.2 Reporter: Jerry Garcia
Can we upgrade embedded jetty servlet on spark 1.6.2? Is this possible or will there be any impact if we do upgrade it ? Please do refer on the provided attachment for more information. |CVS|Severity|Description|Impact|Recommendation|Affected|Reference:| |CRLF injection/HTTP response splitting|Medium|This script is possibly vulnerable to CRLF injection attacks. HTTP headers have the structure "Key: Value", where each line is separated by the CRLF combination. If the user input is injected into the value section without properly escaping/removing CRLF characters it is possible to alter the HTTP headers structure. HTTP Response Splitting is a new application attack technique which enables various new attacks such as web cache poisoning, cross user defacement, hijacking pages with sensitive user information and cross-site scripting (XSS). The attacker sends a single HTTP request that forces the web server to form an output stream, which is then interpreted by the target as two HTTP responses instead of one response.|Is it possible for a remote attacker to inject custom HTTP headers. For example, an attacker can inject session cookies or HTML code. This may conduct to vulnerabilities like XSS (cross-site scripting) or session fixation.|You need to restrict CR(0x13) and LF(0x10) from the user input or properly encode the output in order to prevent the injection of custom HTTP headers.|Web Server Details URL encoded GET input page was set to %c4%8d%c4%8aSomeCustomInjectedHeader:%20injected_by_wvs Injected header found: SomeCustomInjectedHeader: injected_by_wvs Request headers GET /?page=%c4%8d%c4%8aSomeCustomInjectedHeader:%20injected_by_wvs&showIncomplete=false HTTP/1.1 Referer: https://app30.goldmine.bdo.com.ph Host: app30.goldmine.bdo.com.ph Connection: Keep-alive Accept-Encoding: gzip,deflate User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21 Acunetix-Product: WVS/11.0 (Acunetix - WVSE) Acunetix-Scanning-agreement: Third Party Scanning PROHIBITED Acunetix-User-agreement: http://www.acunetix.com/wvs/disc.htm Accept: */* Web Server Details URL encoded GET input showIncomplete was set to %c4%8d%c4%8aSomeCustomInjectedHeader:%20injected_by_wvs Injected header found: SomeCustomInjectedHeader: injected_by_wvs Request headers GET /?page=3&showIncomplete=%c4%8d%c4%8aSomeCustomInjectedHeader:%20injected_by_wvs HTTP/1.1 Referer: https://app30.goldmine.bdo.com.ph Host: app30.goldmine.bdo.com.ph Connection: Keep-alive Accept-Encoding: gzip,deflate User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21 Acunetix-Product: WVS/11.0 (Acunetix - WVSE) Acunetix-Scanning-agreement: Third Party Scanning PROHIBITED Acunetix-User-agreement: http://www.acunetix.com/wvs/disc.htm Accept: */*|Acunetix CRLF Injection Attack (http://www.acunetix.com/websitesecurity/crlf-injection.htm) Whitepaper - HTTP Response Splitting (http://packetstormsecurity.org/papers/general/whitepaper_httpresponse.pdf) Introduction to HTTP Response Splitting (http://www.securiteam.com/securityreviews/5WP0E2KFGK.html) https://www.cvedetails.com/cve/CVE-2007-5615/ https://cwe.mitre.org/data/definitions/113.html| -- This message was sent by Atlassian JIRA (v7.6.3#76005) --------------------------------------------------------------------- To unsubscribe, e-mail: issues-unsubscr...@spark.apache.org For additional commands, e-mail: issues-h...@spark.apache.org