Description

This script is possibly vulnerable to CRLF injection attacks.

HTTP headers have the structure "Key: Value", where each line is separated by the CRLF combination. If the user input is injected into the value section without properly escaping/removing CRLF characters it is possible to alter the HTTP headers structure.
HTTP Response Splitting is a new application attack technique which enables various new attacks such as web cache poisoning, cross user defacement, hijacking pages with sensitive user information and cross-site scripting (XSS). The attacker sends a single HTTP request that forces the web server to form an output stream, which is then interpreted by the target as two HTTP responses instead of one response.

Remediation

You need to restrict CR(0x13) and LF(0x10) from the user input or properly encode the output in order to prevent the injection of custom HTTP headers.

References

Acunetix CRLF Injection Attack

Whitepaper - HTTP Response Splitting

Introduction to HTTP Response Splitting

Related Vulnerabilities

Undertow Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Response Splitting') Vulnerability (CVE-2018-1067)

Ruby Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Response Splitting') Vulnerability (CVE-2017-17742)

Python Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Response Splitting') Vulnerability (CVE-2016-5699)

WildFly Application Server Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Response Splitting') Vulnerability (CVE-2016-4993)

HTTP response splitting with cloud storage

Severity

Medium

Classification

CWE-113 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N

Tags

CRLF Injection Http Response Splitting