Issues » HTTP header injection

Issue: SI-23
Date: Apr 21, 2014 11:30:00 AM
Severity: Moderate
Requires Admin Access: No
Fix Version: 2.5.4
Credit: it.sec GmbH & Co. KG – Hans-Martin Münch & Markus Piéton
Description:

A header injection allows a attacker to insert arbitrary HTTP-Headers into the server’s response. This enables a attacker to change cookie values, add additional headers or in the case of a normal page to insert arbitrary code that gets executed as soon as the client receives the server’s response.

Workaround:

 As a workaround, we suggest using a Application firewall to block access to those urls externally.

Back to the top