Signature Detail

HTTP: Spring Security HTTP Header Injection

This signature detects attempts to exploit a known vulnerability against Spring Security. It is due to insufficient validation of CRLF characters passed to the "spring-security-redirect" parameter of the logout URI. Attackers can launch various attacks by injecting arbitrary HTTP headers.

Extended Description

Spring Security is prone to a vulnerability that allows attackers to inject arbitrary HTTP headers because it fails to sufficiently sanitize input. By inserting arbitrary headers into an HTTP response, attackers may be able to launch various attacks, including cross-site request forgery, cross-site scripting, and HTTP-request smuggling. The following versions are vulnerable: Spring Security 2.0.0 through 2.0.6 Spring Security 3.0.0 through 3.0.5

Affected Products

• Springsource spring_security 2.0.0
• Springsource spring_security 2.0.0
• Springsource spring_security 2.0.1
• Springsource spring_security 2.0.2
• Springsource spring_security 2.0.3
• Springsource spring_security 2.0.4
• Springsource spring_security 2.0.5
• Springsource spring_security 2.0.6
• Springsource spring_security 3.0.0
• Springsource spring_security 3.0.1
• Springsource spring_security 3.0.2
• Springsource spring_security 3.0.3
• Springsource spring_security 3.0.4
• Springsource spring_security 3.0.5

References

• BugTraq: 49535
• CVE: CVE-2011-2732
• URL: http://www.springsource.com/security/cve-2011-2732