The CRLF Injection Attack (sometimes also referred to as HTTP Response Splitting) is a fairly simple, yet extremely powerful web attack. It has been reported in detail in "CWE-113 Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Response Splitting')".
CRLF (Carriage Return
"\r" and Line Feed
"\n") is a significant sequence of
characters, representing the the End Of Line (EOL) marker for many Internet
protocols, including, but not limited to MIME (e-mail), NNTP (newsgroups), and,
more importantly, HTTP. When programmers write code for web applications, they
split headers based on where the CRLF is found. If a malicious user is able to
inject his own CRLF sequence into an HTTP stream, he is able to maliciously
control the way a web application functions.
For instance, the following attack is possible using
$message = new Zend\Mail\Message(); $message->setSubject( "test1\r\nContent-Type: text/html; charset = \"iso-8859-1\"\r\n\r\n" . "<iframe src=\"http://example.com/\"></iframe>" . "<!--" ); $message->setBody("This is the real body!"); var_dump($message->toString());
var_dump() shows that the string contains a double CRLF sequence. A mail
server will interpret the HTML code as the message body, instead of the correct
one, executing the attack!
The other Zend Framework component affected by CRLF Injection Attack is
In Zend Framework 2, we added three new classes:
Each defines three static methods:
filter($value), for filtering a value based on the relevant IETF specification.
isValid($value), for validating that a value only contains characters defined in the relevant IETF specification.
assertValid($value), for asserting that a value is valid (raises an exception for invalid values).
We updated the header classes in each component to use the
assertValid() methods to validate data provided to the class and raise an
exception for invalid data. These utilities are used both when deserializing a
header value, as well as when providing data via constructors and setters,
ensuring that the classes can only emit valid data.
Additionally, we updated deserialization methods in classes representing mail messages and HTTP request and response messages to scan for CRLF injection attempts, and they now raise exceptions on detection.
Users may use the
isValid() methods to pro-actively check for invalid values,
filter() methods to sanitize data to use for headers. In the latter
case, developers should be aware that filtering is lossy, as it strips any
invalid characters detected.
For Zend Framework 1, we applied a similar solution as for Zend Framework2,
Zend_Http_Header_HeaderValue, each with the same static methods and approach
as above. The
classes were audited to ensure that they assert valid values.
The following specifications were used when developing the solution:
The patch fixing the issues has been applied in the following versions:
This vulnerability has also been disclosed as CVE-2015-3154.
If you are using
Zend\Http from Zend Framework 2 (either
standalone, or within components like
Zend\Mvc), or if you are using the
Zend_Http components from Zend Framework 1, we recommend
The Zend Framework team thanks the following for identifying the issues and working with us to help protect its users:
Zend\Httpissue, and who reviewed the patch and proposed improvements; and
Have you identified a security vulnerability?
Please report it to us at firstname.lastname@example.org