CWE

Common Weakness Enumeration

A Community-Developed Dictionary of Software Weakness Types

CWE/SANS Top 25 Most Dangerous Software Errors Common Weakness Scoring System
Common Weakness Risk Analysis Framework
Home > CWE List > CWE- Individual Dictionary Definition (2.6)  

Presentation Filter:

CWE-93: Improper Neutralization of CRLF Sequences ('CRLF Injection')

 
Improper Neutralization of CRLF Sequences ('CRLF Injection')
Weakness ID: 93 (Weakness Base)Status: Draft
+ Description

Description Summary

The software uses CRLF (carriage return line feeds) as a special element, e.g. to separate lines or records, but it does not neutralize or incorrectly neutralizes CRLF sequences from inputs.
+ Time of Introduction
  • Architecture and Design
  • Implementation
+ Applicable Platforms

Languages

All

+ Common Consequences
ScopeEffect
Integrity

Technical Impact: Modify application data

+ Likelihood of Exploit

Medium to High

+ Demonstrative Examples

Example 1

If user input data that eventually makes it to a log message isn't checked for CRLF characters, it may be possible for an attacker to forge entries in a log file.

(Bad Code)
Example Language: Java 
logger.info("User's street address: " + request.getParameter("streetAddress"));
+ Observed Examples
ReferenceDescription
CVE-2002-1771CRLF injection enables spam proxy (add mail headers) using email address or name.
CVE-2002-1783CRLF injection in API function arguments modify headers for outgoing requests.
CVE-2004-1513Spoofed entries in web server log file via carriage returns
CVE-2006-4624Chain: inject fake log entries with fake timestamps using CRLF injection
CVE-2005-1951Chain: Application accepts CRLF in an object ID, allowing HTTP response splitting.
CVE-2004-1687Chain: HTTP response splitting via CRLF in parameter related to URL.
+ Potential Mitigations

Phase: Implementation

Avoid using CRLF as a special sequence.

Phase: Implementation

Appropriately filter or quote CRLF sequences in user-controlled input.

+ Weakness Ordinalities
OrdinalityDescription
Primary
(where the weakness exists independent of other weaknesses)
+ Relationships
NatureTypeIDNameView(s) this relationship pertains toView(s)
ChildOfWeakness ClassWeakness Class74Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
Development Concepts (primary)699
Research Concepts (primary)1000
ChildOfCategoryCategory713OWASP Top Ten 2007 Category A2 - Injection Flaws
Weaknesses in OWASP Top Ten (2007) (primary)629
ChildOfCategoryCategory896SFP Cluster: Tainted Input
Software Fault Pattern (SFP) Clusters (primary)888
CanPrecedeWeakness BaseWeakness Base117Improper Output Neutralization for Logs
Research Concepts1000
ParentOfWeakness BaseWeakness Base113Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Response Splitting')
Research Concepts (primary)1000
CanAlsoBeWeakness VariantWeakness Variant144Improper Neutralization of Line Delimiters
Research Concepts1000
CanAlsoBeWeakness VariantWeakness Variant145Improper Neutralization of Section Delimiters
Research Concepts1000
+ Research Gaps

Probably under-studied, although gaining more prominence in 2005 as a result of interest in HTTP response splitting.

+ Causal Nature

Explicit

+ Taxonomy Mappings
Mapped Taxonomy NameNode IDFitMapped Node Name
PLOVERCRLF Injection
OWASP Top Ten 2007A2CWE_More_SpecificInjection Flaws
WASC24HTTP Request Splitting
+ References
Ulf Harnhammar. "CRLF Injection". Bugtraq. 2002-05-07. <http://marc.info/?l=bugtraq&m=102088154213630&w=2>.
+ Content History
Submissions
Submission DateSubmitterOrganizationSource
PLOVERExternally Mined
Modifications
Modification DateModifierOrganizationSource
2008-07-01Sean EidemillerCigitalExternal
added/updated demonstrative examples
2008-07-01Eric DalciCigitalExternal
updated Time_of_Introduction
2008-09-08CWE Content TeamMITREInternal
updated Relationships, Other_Notes, Taxonomy_Mappings, Weakness_Ordinalities
2009-03-10CWE Content TeamMITREInternal
updated References
2009-05-27CWE Content TeamMITREInternal
updated Name
2009-10-29CWE Content TeamMITREInternal
updated Other_Notes
2009-12-28CWE Content TeamMITREInternal
updated Likelihood_of_Exploit
2010-02-16CWE Content TeamMITREInternal
updated Related_Attack_Patterns, Taxonomy_Mappings
2010-04-05CWE Content TeamMITREInternal
updated Related_Attack_Patterns
2010-06-21CWE Content TeamMITREInternal
updated Description, Name
2011-03-29CWE Content TeamMITREInternal
updated Description
2011-06-01CWE Content TeamMITREInternal
updated Common_Consequences
2012-05-11CWE Content TeamMITREInternal
updated Relationships
2012-10-30CWE Content TeamMITREInternal
updated Potential_Mitigations
Previous Entry Names
Change DatePrevious Entry Name
2008-04-11CRLF Injection
2009-05-27Failure to Sanitize CRLF Sequences (aka 'CRLF Injection')
2010-06-21Failure to Sanitize CRLF Sequences ('CRLF Injection')
Page Last Updated: February 18, 2014