CWE
Home > CWE List > CWE- Individual Dictionary Definition (1.4)  

CWE-93: Failure to Sanitize CRLF Sequences ('CRLF Injection')

Individual Definition in a New Window
Failure to Sanitize CRLF Sequences ('CRLF Injection')
Status: Draft
Weakness ID: 93 (Weakness Base)
+ Description
Summary

The software uses CRLF (carriage return line feeds) as a special element, e.g. to separate lines or records, but it does not properly sanitize CRLF sequences from inputs.

+ Time of Introduction
* Architecture and Design
* Implementation
+ Applicable Platforms
Languages
All
+ Demonstrative Examples

If user input data that eventually makes it to a log message isn't checked for CRLF characters, it may be possible for an attacker to forge entries in a log file.

Java Example:
logger.info("User's street address: " + request.getParameter("streetAddress"));
+ Observed Examples
ReferenceDescription
CRLF injection enables spam proxy (add mail headers) using email address or name.
CRLF injection in API function arguments modify headers for outgoing requests.
Spoofed entries in web server log file via carriage returns
Chain: HTTP response splitting via CRLF in parameter related to URL.
Chain: Application accepts CRLF in an object ID, allowing HTTP response splitting.
Chain: inject fake log entries with fake timestamps using CRLF injection
+ Potential Mitigations

Avoid using CRLF as a special sequence.

Appropriately filter or quote CRLF sequences in user-controlled input.

+ Other Notes

Factors: primary to HTTP Response Splitting.

+ Weakness Ordinalities
Primary (where the weakness exists independent of other weaknesses)
+ Relationships
NatureTypeIDNameView(s) this relationship pertains toView(s)
ChildOfWeakness ClassWeakness ClassWeakness Class74Failure to Sanitize Data into a Different Plane ('Injection')
Development Concepts (primary)699
Research Concepts (primary)1000
CanPrecedeWeakness BaseWeakness BaseWeakness Base117Improper Output Sanitization for Logs
Research Concepts1000
ChildOfCategoryCategory713OWASP Top Ten 2007 Category A2 - Injection Flaws
Weaknesses in OWASP Top Ten (2007) (primary)629
ParentOfWeakness BaseWeakness BaseWeakness Base113Failure to Sanitize CRLF Sequences in HTTP Headers ('HTTP Response Splitting')
Research Concepts (primary)1000
CanAlsoBeWeakness VariantWeakness VariantWeakness Variant144Failure to Sanitize Line Delimiters
Research Concepts1000
CanAlsoBeWeakness VariantWeakness VariantWeakness Variant145Failure to Sanitize Section Delimiters
Research Concepts1000
+ Research Gaps

Probably under-studied, although gaining more prominence in 2005 as a result of interest in HTTP response splitting.

+ Causal Nature
Explicit (an explicit weakness resulting from behavior of the developer)
+ Taxonomy Mappings
Mapped Taxonomy NameNode IDFitMapped Node Name
PLOVER  CRLF Injection
OWASP Top Ten 2007A2CWE More SpecificInjection Flaws
+ References
Ulf Harnhammar. "CRLF Injection". Bugtraq. 2002-05-07. <http://marc.info/?l=bugtraq&m=102088154213630&w=2>.
+ Content History
Submissions
PLOVER. (Externally Mined)
Modifications
Sean Eidemiller. Cigital. 2008-07-01. (External)
added/updated demonstrative examples
Eric Dalci. Cigital. 2008-07-01. (External)
updated Time_of_Introduction
CWE Content Team. MITRE. 2008-09-08. (Internal)
updated Relationships, Other_Notes, Taxonomy_Mappings, Weakness_Ordinalities
CWE Content Team. MITRE. 2009-03-10. (Internal)
updated References
CWE Content Team. MITRE. 2009-05-27. (Internal)
updated Name
Previous Entry Names
* CRLF Injection (changed 2008-04-11)
* Failure to Sanitize CRLF Sequences (aka 'CRLF Injection') (changed 2009-05-27)
Back to top
Page Last Updated: May 26, 2009
 

CWE is a Software Assurance strategic initiative sponsored by the National Cyber Security Division of the U.S. Department of Homeland Security.

This Web site is hosted by The MITRE Corporation.
Copyright 2009, The MITRE Corporation. CWE and the CWE logo are trademarks of The MITRE Corporation.

Contact cwe@mitre.org for more information.
Privacy policy
Terms of use
Contact us