CWE
Home > CWE List > CWE- Individual Dictionary Definition (1.6)  

CWE-93: Failure to Sanitize CRLF Sequences ('CRLF Injection')

 
Failure to Sanitize CRLF Sequences ('CRLF Injection')
Weakness ID: 93 (Weakness Base)Status: Draft
+ Description

Description Summary

The software uses CRLF (carriage return line feeds) as a special element, e.g. to separate lines or records, but it does not properly sanitize CRLF sequences from inputs.
+ Time of Introduction
  • Architecture and Design
  • Implementation
+ Applicable Platforms

Languages

All

+ Demonstrative Examples

Example 1

If user input data that eventually makes it to a log message isn't checked for CRLF characters, it may be possible for an attacker to forge entries in a log file.

(Bad Code)
Java
logger.info("User's street address: " + request.getParameter("streetAddress"));
+ Observed Examples
ReferenceDescription
CVE-2002-1771CRLF injection enables spam proxy (add mail headers) using email address or name.
CVE-2002-1783CRLF injection in API function arguments modify headers for outgoing requests.
CVE-2004-1513Spoofed entries in web server log file via carriage returns
CVE-2006-4624Chain: inject fake log entries with fake timestamps using CRLF injection
CVE-2005-1951Chain: Application accepts CRLF in an object ID, allowing HTTP response splitting.
CVE-2004-1687Chain: HTTP response splitting via CRLF in parameter related to URL.
+ Potential Mitigations
PhaseDescription

Avoid using CRLF as a special sequence.

Appropriately filter or quote CRLF sequences in user-controlled input.

+ Weakness Ordinalities
OrdinalityDescription
Primary
(where the weakness exists independent of other weaknesses)
+ Relationships
NatureTypeIDNameView(s) this relationship pertains toView(s)
ChildOfWeakness ClassWeakness Class74Failure to Sanitize Data into a Different Plane ('Injection')
Development Concepts (primary)699
Research Concepts (primary)1000
CanPrecedeWeakness BaseWeakness Base117Improper Output Sanitization for Logs
Research Concepts1000
ChildOfCategoryCategory713OWASP Top Ten 2007 Category A2 - Injection Flaws
Weaknesses in OWASP Top Ten (2007) (primary)629
ParentOfWeakness BaseWeakness Base113Failure to Sanitize CRLF Sequences in HTTP Headers ('HTTP Response Splitting')
Research Concepts (primary)1000
CanAlsoBeWeakness VariantWeakness Variant144Failure to Sanitize Line Delimiters
Research Concepts1000
CanAlsoBeWeakness VariantWeakness Variant145Failure to Sanitize Section Delimiters
Research Concepts1000
+ Research Gaps

Probably under-studied, although gaining more prominence in 2005 as a result of interest in HTTP response splitting.

+ Causal Nature

Explicit

+ Taxonomy Mappings
Mapped Taxonomy NameNode IDFitMapped Node Name
PLOVERCRLF Injection
OWASP Top Ten 2007A2CWE More SpecificInjection Flaws
+ References
Ulf Harnhammar. "CRLF Injection". Bugtraq. 2002-05-07. <http://marc.info/?l=bugtraq&m=102088154213630&w=2>.
+ Content History
Submissions
Submission DateSubmitterOrganizationSource
PLOVERExternally Mined
Modifications
Modification DateModifierOrganizationSource
2008-07-01Sean EidemillerCigitalExternal
added/updated demonstrative examples
2008-07-01Eric DalciCigitalExternal
updated Time of Introduction
2008-09-08CWE Content TeamMITREInternal
updated Relationships, Other Notes, Taxonomy Mappings, Weakness Ordinalities
2009-03-10CWE Content TeamMITREInternal
updated References
2009-05-27CWE Content TeamMITREInternal
updated Name
2009-10-29CWE Content TeamMITREInternal
updated Other Notes
Back to top
Page Last Updated: October 29, 2009
 

CWE is a Software Assurance strategic initiative sponsored by the National Cyber Security Division of the U.S. Department of Homeland Security.

This Web site is hosted by The MITRE Corporation.
Copyright 2009, The MITRE Corporation. CWE and the CWE logo are trademarks of The MITRE Corporation.

Contact cwe@mitre.org for more information.
Privacy policy
Terms of use
Contact us