Issues » CRLF Header Injection vulnerability

Issue: SI-26
Date: Jul 17, 2014, 11:00:00 AM
Severity: Medium
Requires Admin Access: No
Fix Version: 3
Credit: Isaac.nl
Description:

Scanning software (Acunetix) has reported a CRLF Injection vulnerability in the htmlpdf servlet.

I have discussed this report with our Dotcms developers and they feel the report is correct and the problem is located in the Dotcms codebase.

Mitigation:

Unmap the htmlpdf servlet if it is not being used.  If it is being used, update the code to sanitize the filename parameter.