Security

Security Advisory: ZF2015-04

ZF2015-04: Potential CRLF injection attacks in mail and HTTP headers

The CRLF Injection Attack (sometimes also referred to as HTTP Response Splitting) is a fairly simple, yet extremely powerful web attack. It has been reported in detail in "CWE-113 Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Response Splitting')".

CRLF (Carriage Return "\r" and Line Feed "\n") is a significant sequence of characters, representing the the End Of Line (EOL) marker for many Internet protocols, including, but not limited to MIME (e-mail), NNTP (newsgroups), and, more importantly, HTTP. When programmers write code for web applications, they split headers based on where the CRLF is found. If a malicious user is able to inject his own CRLF sequence into an HTTP stream, he is able to maliciously control the way a web application functions.

For instance, the following attack is possible using Zend\Mail:

$message = new Zend\Mail\Message();
$message->setSubject(
    "test1\r\nContent-Type: text/html; charset = \"iso-8859-1\"\r\n\r\n"
    . "<iframe src=\"http://example.com/\"></iframe>"
    . "<!--"
);
$message->setBody("This is the real body!");
var_dump($message->toString());

This var_dump() shows that the string contains a double CRLF sequence. A mail server will interpret the HTML code as the message body, instead of the correct one, executing the attack!

The other Zend Framework component affected by CRLF Injection Attack is Zend\Http.

Action Taken

In Zend Framework 2, we added three new classes:

  • Zend\Mail\Header\HeaderName
  • Zend\Mail\Header\HeaderValue
  • Zend\Http\Header\HeaderValue

Each defines three static methods:

  • filter($value), for filtering a value based on the relevant IETF specification.
  • isValid($value), for validating that a value only contains characters defined in the relevant IETF specification.
  • assertValid($value), for asserting that a value is valid (raises an exception for invalid values).

We updated the header classes in each component to use the isValid() and assertValid() methods to validate data provided to the class and raise an exception for invalid data. These utilities are used both when deserializing a header value, as well as when providing data via constructors and setters, ensuring that the classes can only emit valid data.

Additionally, we updated deserialization methods in classes representing mail messages and HTTP request and response messages to scan for CRLF injection attempts, and they now raise exceptions on detection.

Users may use the isValid() methods to pro-actively check for invalid values, and/or the filter() methods to sanitize data to use for headers. In the latter case, developers should be aware that filtering is lossy, as it strips any invalid characters detected.

For Zend Framework 1, we applied a similar solution as for Zend Framework2, introducing Zend_Mail_Header_HeaderName, Zend_Mail_Header_HeaderValue, and Zend_Http_Header_HeaderValue, each with the same static methods and approach as above. The Zend_Mail_Message, Zend_Mail_Part, Zend_Http_Client, Zend_Http_Request, Zend_Http_Response, and Zend_Http_Header_SetCookie classes were audited to ensure that they assert valid values.

The following specifications were used when developing the solution:

The patch fixing the issues has been applied in the following versions:

  • Zend Framework 1.12.12
  • Zend Framework 2.3.8
  • Zend Framework 2.4.1

This vulnerability has also been disclosed as CVE-2015-3154.

Recommendations

If you are using Zend\Mail or Zend\Http from Zend Framework 2 (either standalone, or within components like Zend\Mvc), or if you are using the Zend_Mail or Zend_Http components from Zend Framework 1, we recommend upgrading immediately.

Other Information

Acknowledgments

The Zend Framework team thanks the following for identifying the issues and working with us to help protect its users:

  • Filippo Tessarotto, who reported the issue on Zend\Mail; and
  • Enrico Zimuel, who provided the initial patch, as well as ongoing review; and
  • Maks3w, who reported the Zend\Http issue, and who reviewed the patch and proposed improvements; and
  • Matthew Weier O'Phinney, who reviewed, tested, and finalized the patch.

Released 2015-05-07

Back to advisories

Have you identified a security vulnerability?

Please report it to us at zf-security@zend.com

Copyright

© 2006-2017 by Zend, a Rogue Wave Company. Made with by awesome contributors.

This website is built using zend-expressive and it runs on PHP 7.

Contacts