Seems like you might need to solve this at the web application level, unless the response splitting was done by nginx/backend server itself?<br><br>Ray<br><br><div class="gmail_quote">On Wed, Aug 5, 2009 at 10:58 AM, Kurt Hansen <span dir="ltr"><<a href="mailto:khansen@charityweb.net">khansen@charityweb.net</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">Hello,<br>
<br>
Our server is checked each day by McAffee to see if there are any vulnerabilities.<br>
<br>
It found one that I'm not sure what to do. Here's the description from McAfee:<br>
<br>
>>QUOTE<br>
HTTP response splitting is the ability for an attacker to modify the headers of an HTTP response due to lack of input validation on requests that are sent to the application server.<br>
<br>
A vulnerable web application or web server allows the user to insert a Carriage Return (%0D or \r) and/or a Line Feed (%0A or \n) into the headers of an HTTP response. This is usually done by sending modified requests to the web application and the web application responding with the user supplied data being inserted into a header. The attacker then constructs and attack using a CRLF (Carriage Return-Line Feed) attack that has the client interpret the data as 2 separate responses.<br>
<<END QUOTE<br>
<br>
Here's the proposed solution:<br>
<br>
>>QUOTE<br>
All input that is sent to a web application should not be trusted and should be assumed malicious. Characters such as Carriage Return (CR) and Line Feed (LF) should be removed from all requests before being interpreted by the web application server.<br>
<br>
An attacker can also use encoded Carriage Returns and Line Feeds to exploit the web server, and user-specified Carriage Returns and Line Feeds serve no business purpose on a web server. Filter the following characters from all user supplied input:<br>
<br>
%0D<br>
%0A<br>
%0D%0A<br>
\r<br>
\n<br>
\r\n<br>
<<END QUOTE<br>
<br>
<br>
How can I implement this fix in nginx? I'm using it as a reverse proxy.<br>
<br>
Thanks!<br>
<br>
Take care,<br><font color="#888888">
<br>
Kurt Hansen<br>
<br>
</font></blockquote></div><br>