Failure to Sanitize CRLF Sequences ('CRLF Injection')
Weakness ID: 93 (Weakness Base)Status: Draft
+ Description

Description Summary

The software uses CRLF (carriage return line feeds) as a special element, e.g. to separate lines or records, but it does not properly sanitize CRLF sequences from inputs.
+ Time of Introduction
  • Architecture and Design
  • Implementation
+ Applicable Platforms

Languages

All

+ Likelihood of Exploit

Medium to High

+ Demonstrative Examples

Example 1

If user input data that eventually makes it to a log message isn't checked for CRLF characters, it may be possible for an attacker to forge entries in a log file.

(Bad Code)
Example Language: Java 
logger.info("User's street address: " + request.getParameter("streetAddress"));
+ Observed Examples
ReferenceDescription
CVE-2002-1771CRLF injection enables spam proxy (add mail headers) using email address or name.
CVE-2002-1783CRLF injection in API function arguments modify headers for outgoing requests.
CVE-2004-1513Spoofed entries in web server log file via carriage returns
CVE-2006-4624Chain: inject fake log entries with fake timestamps using CRLF injection
CVE-2005-1951Chain: Application accepts CRLF in an object ID, allowing HTTP response splitting.
CVE-2004-1687Chain: HTTP response splitting via CRLF in parameter related to URL.
+ Potential Mitigations

Avoid using CRLF as a special sequence.

Appropriately filter or quote CRLF sequences in user-controlled input.

+ Weakness Ordinalities
OrdinalityDescription
Primary
(where the weakness exists independent of other weaknesses)
+ Relationships
NatureTypeIDNameView(s) this relationship pertains toView(s)
ChildOfWeakness ClassWeakness Class74Failure to Sanitize Data into a Different Plane ('Injection')
Development Concepts (primary)699
Research Concepts (primary)1000
ChildOfCategoryCategory713OWASP Top Ten 2007 Category A2 - Injection Flaws
Weaknesses in OWASP Top Ten (2007) (primary)629
CanPrecedeWeakness BaseWeakness Base117Improper Output Sanitization for Logs
Research Concepts1000
ParentOfWeakness BaseWeakness Base113Failure to Sanitize CRLF Sequences in HTTP Headers ('HTTP Response Splitting')
Research Concepts (primary)1000
CanAlsoBeWeakness VariantWeakness Variant144Failure to Sanitize Line Delimiters
Research Concepts1000
CanAlsoBeWeakness VariantWeakness Variant145Failure to Sanitize Section Delimiters
Research Concepts1000
+ Research Gaps

Probably under-studied, although gaining more prominence in 2005 as a result of interest in HTTP response splitting.

+ Causal Nature

Explicit

+ Taxonomy Mappings
Mapped Taxonomy NameNode IDFitMapped Node Name
PLOVERCRLF Injection
OWASP Top Ten 2007A2CWE More SpecificInjection Flaws
WASC24HTTP Request Splitting
+ Related Attack Patterns
CAPEC-IDAttack Pattern Name
(CAPEC Version: 1.4)
15Command Delimiters
34HTTP Response Splitting
81Web Logs Tampering
+ References
Ulf Harnhammar. "CRLF Injection". Bugtraq. 2002-05-07. <http://marc.info/?l=bugtraq&m=102088154213630&w=2>.
+ Content History
Submissions
Submission DateSubmitterOrganizationSource
PLOVERExternally Mined
Modifications
Modification DateModifierOrganizationSource
2008-07-01Sean EidemillerCigitalExternal
added/updated demonstrative examples
2008-07-01Eric DalciCigitalExternal
updated Time of Introduction
2008-09-08CWE Content TeamMITREInternal
updated Relationships, Other Notes, Taxonomy Mappings, Weakness Ordinalities
2009-03-10CWE Content TeamMITREInternal
updated References
2009-05-27CWE Content TeamMITREInternal
updated Name
2009-10-29CWE Content TeamMITREInternal
updated Other Notes
2009-12-28CWE Content TeamMITREInternal
updated Likelihood of Exploit
Previous Entry Names
Change DatePrevious Entry Name
2008-04-11CRLF Injection
2009-05-27Failure to Sanitize CRLF Sequences (aka 'CRLF Injection')