Juniper Networks
Solutions
Products & Services
Company
Partners
Support
Education

Signature Detail

Security Intelligence Center
Signatures
Print

This site is deprecated. Please CLICK HERE for latest updates

Short Name

 HTTP:REQERR:HEADER-INJECT

Severity

 Minor

Recommended

 No

Category

 HTTP

Keywords

 URL Header Injection

Release Date

 2004/03/10

Update Number

 1213

Supported Platforms

 idp-4.0+, isg-3.0+, j-series-9.5+, mx-11.4+, srx-12.1+, srx-branch-12.1+, vmx-17.4+, vsrx-12.1+, vsrx3bsd-18.2+

HTTP: URL Header Injection


This signature detects attempts to exploit an input validation vulnerability in HTTP. Attackers can use encoded CR/LF (carriage return/line feed) characters in an HTTP response header to split HTTP responses into multiple parts, enabling them to misrepresent Web content to the recipient.

Extended Description

A paper (Divide and Conquer - HTTP Response Splitting, Web Cache Poisoning Attacks, and Related Topics) was released to describe various attacks that target web users through web application, browser, web/application server and proxy implementations. These attacks are described under the general category of HTTP Response Splitting and involve abusing various input validation flaws in these implementations to split HTTP responses into multiple parts in such a way that response data may be misrepresented to client users. Exploitation would occur by injecting variations of CR/LF sequences into parts of HTTP response headers that the attacker may control or influence. The general consequences of exploitation are that an attacker may misrepresent web content to the client, potentially enticing the user to trust the content and take actions based on this false trust. While the various implementations listed in the paper contribute to these attacks, this issue will most likely be exposed through web applications that do not properly account for CR/LF sequences when accepting user-supplied input that may be returned in server responses. This vulnerability could also aid in exploitation of cross-site scripting vulnerabilities.

Affected Products

  • Apache_software_foundation apache 2.0.0
  • Apache_software_foundation apache 2.0.28
  • Apache_software_foundation apache 2.0.32
  • Apache_software_foundation apache 2.0.35
  • Apache_software_foundation apache 2.0.36
  • Apache_software_foundation apache 2.0.37
  • Apache_software_foundation apache 2.0.38
  • Apache_software_foundation apache 2.0.39
  • Apache_software_foundation apache 2.0.40
  • Apache_software_foundation apache 2.0.41
  • Apache_software_foundation apache 2.0.42
  • Apache_software_foundation apache 2.0.43
  • Apache_software_foundation apache 2.0.44
  • Apache_software_foundation apache 2.0.45
  • Apache_software_foundation apache 2.0.46
  • Apache_software_foundation apache 2.0.47
  • Apache_software_foundation apache 2.0.48
  • Apache_software_foundation tomcat 4.1.24
  • Bea_systems weblogic_server 8.1.0
  • Bea_systems weblogic_server 8.1.0 SP 1
  • Bea_systems weblogic_server_for_win32 8.1.0
  • Bea_systems weblogic_server_for_win32 8.1.0 SP 1
  • Ibm websphere_application_server 5.0.0
  • Ibm websphere_application_server 5.0.1
  • Ibm websphere_application_server 5.0.2
  • Ibm websphere_application_server 5.0.2 .1
  • Ibm websphere_application_server 5.0.2 .3
  • Ibm websphere_application_server 5.0.2 .4
  • Ibm websphere_application_server 5.0.2 .5
  • Ibm websphere_application_server 5.0.2 .6
  • Ibm websphere_application_server 5.1.0
  • Ibm websphere_application_server 5.1.0 .0.2
  • Ibm websphere_application_server 5.1.0 .0.3
  • Ibm websphere_application_server 5.1.0 .0.4
  • Ibm websphere_application_server 5.1.0 .0.5
  • Ibm websphere_application_server 5.1.1
  • Macromedia coldfusion_server_mx 6.0.0
  • Macromedia coldfusion_server_mx 6.1.0
  • Microsoft asp 3.0
  • Microsoft asp.net 1.0
  • Microsoft asp.net 1.1
  • Microsoft internet_explorer 6.0
  • Microsoft internet_explorer 6.0 SP1
  • Microsoft isa_server_2000 SP1
  • Microsoft isa_server_2000
  • National_science_foundation squid_web_proxy 2.4.0
  • National_science_foundation squid_web_proxy 2.4.0 DEVEL2
  • National_science_foundation squid_web_proxy 2.4.0 DEVEL4
  • National_science_foundation squid_web_proxy 2.4.0 PRE-STABLE
  • National_science_foundation squid_web_proxy 2.4.0 PRE-STABLE2
  • National_science_foundation squid_web_proxy 2.4.0 STABLE1
  • National_science_foundation squid_web_proxy 2.4.0 STABLE2
  • National_science_foundation squid_web_proxy 2.4.0 STABLE2-2
  • National_science_foundation squid_web_proxy 2.4.0 STABLE2-3
  • National_science_foundation squid_web_proxy 2.4.0 STABLE3
  • National_science_foundation squid_web_proxy 2.4.0 STABLE4
  • National_science_foundation squid_web_proxy 2.4.0 STABLE6
  • National_science_foundation squid_web_proxy 2.4.0 STABLE7
  • Netapp netcache 5.2.0
  • Squid web_proxy_cache 2.3.0 .STABLE4
  • Squid web_proxy_cache 2.3.0 .STABLE5
  • Squid web_proxy_cache 2.4.0
  • Squid web_proxy_cache 2.4.0 .STABLE2
  • Squid web_proxy_cache 2.4.0 .STABLE6
  • Squid web_proxy_cache 2.4.0 .STABLE7
  • Squid web_proxy_cache 2.5.0 .STABLE1
  • Squid web_proxy_cache 2.5.0 .STABLE3
  • Squid web_proxy_cache 2.5.0 .STABLE4
  • Squid web_proxy_cache 2.5.0 .STABLE5
  • Squid web_proxy_cache 2.5.0 .STABLE6
  • Squid web_proxy_cache 2.5.0 .STABLE7
  • Sun java_system_web_server 6.1.0

References

  • BugTraq: 9804

Site Map
RSS Feeds
Careers
Accessibility
Feedback
Privacy Policy
Legal Notices
Copyright © 1999-2010 Juniper Networks, Inc. All rights reserved.
Help
|
My Account
|
Log Out