Status: Draft Weakness ID: 93 (Weakness Base)Summary The software uses CRLF (carriage return line feeds) as a special element, e.g. to separate lines or records, but it does not properly sanitize CRLF sequences from inputs. If user input data that eventually makes it to a log message isn't checked for CRLF characters, it may be possible for an attacker to forge entries in a log file. Java Example: logger.info("User's street address: " +
request.getParameter("streetAddress"));
Avoid using CRLF as a special sequence. Appropriately filter or quote CRLF sequences in user-controlled input.
Probably under-studied, although gaining more prominence in 2005 as a result of interest in HTTP response splitting.
Ulf Harnhammar. "CRLF Injection". Bugtraq. 2002-05-07. <http:/ Submissions PLOVER. (Externally Mined) Modifications Sean Eidemiller. Cigital. 2008-07-01. (External) added/updated demonstrative
examples Eric Dalci. Cigital. 2008-07-01. (External) updated Time_of_Introduction CWE Content Team. MITRE. 2008-09-08. (Internal) updated Relationships, Other_Notes, Taxonomy_Mappings,
Weakness_Ordinalities CWE Content Team. MITRE. 2009-03-10. (Internal) updated References CWE Content Team. MITRE. 2009-05-27. (Internal) updated Name Previous Entry Names CRLF
Injection (changed
2008-04-11) Failure to Sanitize CRLF
Sequences (aka 'CRLF Injection') (changed
2009-05-27) |
|
Page Last Updated:
May 26, 2009
|
|
CWE is a Software Assurance strategic initiative sponsored by the National Cyber Security Division of the U.S. Department of Homeland Security. This Web site is hosted by The MITRE Corporation. Contact cwe@mitre.org for more information. |
|||
