Don't miss out Virtual Happy Hour this Friday (April 26).

Try our conversational search powered by Generative AI!

AI OnAI Off

CRLF Injection flaw: Improper neutralization of CRLF sequences in HTTP headers ('HTTP Response Splitting')

Found in

EPiServer.ConnectForMarketingAutomation 5.3.0

Fixed in

EPiServer.ConnectForMarketingAutomation 5.3.4

(Or a related package)

Created

Mar 11, 2019

Updated

Mar 29, 2019

State

Closed, Fixed and tested

Description

Description
A function call contains an HTTP response splitting flaw. Writing untrusted input into an HTTP header allows an attacker to manipulate the HTTP response rendered by the browser, leading to cache poisoning and cross-site scripting attacks.

Recommendations
Remove unexpected carriage returns and line feeds from untrusted data used to construct an HTTP response. Always validate untrusted input to ensure that it conforms to the expected format, using centralized data validation routines when possible.

Offender:
episerver.marketing.connector.dll
void UpsertTrackingCookie(string, string, System.Collections.Generic.List<Connector.Framework.Data.CookieData>) 66%