Failure to Sanitize CRLF Sequences ('CRLF Injection') |
Weakness ID: 93 (Weakness Base) | Status: Draft |
Description Summary
The software uses CRLF (carriage return line feeds) as a special element, e.g. to separate lines or records, but it does not properly sanitize CRLF sequences from inputs.
Example 1
If user input data that eventually makes it to a log message isn't checked for CRLF characters, it may be possible for an attacker to forge entries in a log file.
(Bad Code)
Example Language: Java
logger.info("User's street address: " + request.getParameter("streetAddress"));
Reference | Description |
---|---|
CVE-2002-1771 | CRLF injection enables spam proxy (add mail headers) using email address or name. |
CVE-2002-1783 | CRLF injection in API function arguments modify headers for outgoing requests. |
CVE-2004-1513 | Spoofed entries in web server log file via carriage returns |
CVE-2006-4624 | Chain: inject fake log entries with fake timestamps using CRLF injection |
CVE-2005-1951 | Chain: Application accepts CRLF in an object ID, allowing HTTP response splitting. |
CVE-2004-1687 | Chain: HTTP response splitting via CRLF in parameter related to URL. |
Avoid using CRLF as a special sequence. |
Appropriately filter or quote CRLF sequences in user-controlled input. |
Ordinality | Description |
---|---|
Primary | (where the weakness exists independent of other weaknesses) |
Nature | Type | ID | Name | View(s) this relationship pertains to |
---|---|---|---|---|
ChildOf | Weakness Class | 74 | Failure to Sanitize Data into a Different Plane ('Injection') | Development Concepts (primary)699 Research Concepts (primary)1000 |
ChildOf | Category | 713 | OWASP Top Ten 2007 Category A2 - Injection Flaws | Weaknesses in OWASP Top Ten (2007) (primary)629 |
CanPrecede | Weakness Base | 117 | Improper Output Sanitization for Logs | Research Concepts1000 |
ParentOf | Weakness Base | 113 | Failure to Sanitize CRLF Sequences in HTTP Headers ('HTTP Response Splitting') | Research Concepts (primary)1000 |
CanAlsoBe | Weakness Variant | 144 | Failure to Sanitize Line Delimiters | Research Concepts1000 |
CanAlsoBe | Weakness Variant | 145 | Failure to Sanitize Section Delimiters | Research Concepts1000 |
Probably under-studied, although gaining more prominence in 2005 as a result of interest in HTTP response splitting. |
Mapped Taxonomy Name | Node ID | Fit | Mapped Node Name |
---|---|---|---|
PLOVER | CRLF Injection | ||
OWASP Top Ten 2007 | A2 | CWE More Specific | Injection Flaws |
WASC | 24 | HTTP Request Splitting |
Ulf Harnhammar. "CRLF Injection". Bugtraq. 2002-05-07. <http://marc.info/?l=bugtraq&m=102088154213630&w=2>. |
Submissions | ||||
---|---|---|---|---|
Submission Date | Submitter | Organization | Source | |
PLOVER | Externally Mined | |||
Modifications | ||||
Modification Date | Modifier | Organization | Source | |
2008-07-01 | Sean Eidemiller | Cigital | External | |
added/updated demonstrative examples | ||||
2008-07-01 | Eric Dalci | Cigital | External | |
updated Time of Introduction | ||||
2008-09-08 | CWE Content Team | MITRE | Internal | |
updated Relationships, Other Notes, Taxonomy Mappings, Weakness Ordinalities | ||||
2009-03-10 | CWE Content Team | MITRE | Internal | |
updated References | ||||
2009-05-27 | CWE Content Team | MITRE | Internal | |
updated Name | ||||
2009-10-29 | CWE Content Team | MITRE | Internal | |
updated Other Notes | ||||
2009-12-28 | CWE Content Team | MITRE | Internal | |
updated Likelihood of Exploit | ||||
Previous Entry Names | ||||
Change Date | Previous Entry Name | |||
2008-04-11 | CRLF Injection | |||
2009-05-27 | Failure to Sanitize CRLF Sequences (aka 'CRLF Injection') | |||