CWE - CWE-93: Improper Neutralization of CRLF Sequences ('CRLF Injection') (2.4)

Home > CWE List > CWE- Individual Dictionary Definition (2.4)

CWE List
Full Dictionary View
Development View
Research View
Reports

About
Sources
Process
Documents
FAQs

Community
SwA On-Ramp
T-Shirt
Discussion List
Discussion Archives
Contact Us

Scoring
CWSS
CWRAF
CWE/SANS Top 25

Compatibility
Requirements
Coverage Claims Representation
Compatible Products
Make a Declaration

News
Calendar
Free Newsletter

Search the Site

CWE-93: Improper Neutralization of CRLF Sequences ('CRLF Injection')

Improper Neutralization of CRLF Sequences ('CRLF Injection')

Weakness ID: 93 (Weakness Base)

Status: Draft

Description

Description Summary

The software uses CRLF (carriage return line feeds) as a special element, e.g. to separate lines or records, but it does not neutralize or incorrectly neutralizes CRLF sequences from inputs.

Time of Introduction

Architecture and Design
Implementation

Applicable Platforms

Languages

All

Common Consequences

Scope	Effect
Integrity	Technical Impact: Modify application data

Likelihood of Exploit

Medium to High

Demonstrative Examples

Example 1

If user input data that eventually makes it to a log message isn't checked for CRLF characters, it may be possible for an attacker to forge entries in a log file.

(Bad Code)

Example Language: Java

logger.info("User's street address: " + request.getParameter("streetAddress"));

Observed Examples

Reference	Description
CVE-2002-1771	CRLF injection enables spam proxy (add mail headers) using email address or name.
CVE-2002-1783	CRLF injection in API function arguments modify headers for outgoing requests.
CVE-2004-1513	Spoofed entries in web server log file via carriage returns
CVE-2006-4624	Chain: inject fake log entries with fake timestamps using CRLF injection
CVE-2005-1951	Chain: Application accepts CRLF in an object ID, allowing HTTP response splitting.
CVE-2004-1687	Chain: HTTP response splitting via CRLF in parameter related to URL.

Potential Mitigations

Phase: Implementation

Avoid using CRLF as a special sequence.

Phase: Implementation

Appropriately filter or quote CRLF sequences in user-controlled input.

Weakness Ordinalities

Ordinality	Description
Primary	(where the weakness exists independent of other weaknesses)

Relationships

Nature	Type	ID	Name	View(s) this relationship pertains to
ChildOf	Weakness Class	74	Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')	Development Concepts (primary)699 Research Concepts (primary)1000
ChildOf	Category	713	OWASP Top Ten 2007 Category A2 - Injection Flaws	Weaknesses in OWASP Top Ten (2007) (primary)629
ChildOf	Category	896	SFP Cluster: Tainted Input	Software Fault Pattern (SFP) Clusters (primary)888
CanPrecede	Weakness Base	117	Improper Output Neutralization for Logs	Research Concepts1000
ParentOf	Weakness Base	113	Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Response Splitting')	Research Concepts (primary)1000
CanAlsoBe	Weakness Variant	144	Improper Neutralization of Line Delimiters	Research Concepts1000
CanAlsoBe	Weakness Variant	145	Improper Neutralization of Section Delimiters	Research Concepts1000

Research Gaps

Probably under-studied, although gaining more prominence in 2005 as a result of interest in HTTP response splitting.

Causal Nature

Explicit

Taxonomy Mappings

Mapped Taxonomy Name	Node ID	Fit	Mapped Node Name
PLOVER			CRLF Injection
OWASP Top Ten 2007	A2	CWE_More_Specific	Injection Flaws
WASC	24		HTTP Request Splitting

Related Attack Patterns

CAPEC-ID	Attack Pattern Name	(CAPEC Version: 1.7.1)
15	Command Delimiters
81	Web Logs Tampering

References

Ulf Harnhammar. "CRLF Injection". Bugtraq. 2002-05-07. <http://marc.info/?l=bugtraq&m=102088154213630&w=2>.

Content History

Submissions
Submission Date	Submitter	Organization	Source
	PLOVER		Externally Mined

Modifications
Modification Date	Modifier	Organization	Source
2008-07-01	Sean Eidemiller	Cigital	External
2008-07-01	added/updated demonstrative examples
2008-07-01	Eric Dalci	Cigital	External
2008-07-01	updated Time_of_Introduction
2008-09-08	CWE Content Team	MITRE	Internal
2008-09-08	updated Relationships, Other_Notes, Taxonomy_Mappings, Weakness_Ordinalities
2009-03-10	CWE Content Team	MITRE	Internal
2009-03-10	updated References
2009-05-27	CWE Content Team	MITRE	Internal
2009-05-27	updated Name
2009-10-29	CWE Content Team	MITRE	Internal
2009-10-29	updated Other_Notes
2009-12-28	CWE Content Team	MITRE	Internal
2009-12-28	updated Likelihood_of_Exploit
2010-02-16	CWE Content Team	MITRE	Internal
2010-02-16	updated Related_Attack_Patterns, Taxonomy_Mappings
2010-04-05	CWE Content Team	MITRE	Internal
2010-04-05	updated Related_Attack_Patterns
2010-06-21	CWE Content Team	MITRE	Internal
2010-06-21	updated Description, Name
2011-03-29	CWE Content Team	MITRE	Internal
2011-03-29	updated Description
2011-06-01	CWE Content Team	MITRE	Internal
2011-06-01	updated Common_Consequences
2012-05-11	CWE Content Team	MITRE	Internal
2012-05-11	updated Relationships
2012-10-30	CWE Content Team	MITRE	Internal
2012-10-30	updated Potential_Mitigations
Previous Entry Names
Change Date	Previous Entry Name
2008-04-11	CRLF Injection

2009-05-27	Failure to Sanitize CRLF Sequences (aka 'CRLF Injection')

2010-06-21	Failure to Sanitize CRLF Sequences ('CRLF Injection')

Page Last Updated: February 20, 2013


	CWE is co-sponsored by the office of Cybersecurity and Communications at the U.S. Department of Homeland Security. This Web site is sponsored and managed by The MITRE Corporation to enable stakeholder collaboration. Copyright © 2006-2013, The MITRE Corporation. CWE, CWSS, CWRAF, and the CWE logo are trademarks of The MITRE Corporation. Contact cwe@mitre.org for more information.	Privacy policy Terms of use Contact us