[WEB SECURITY] Attack Technique: File Download Injection

Jeff Williams jeff.williams at aspectsecurity.com
Fri Apr 11 12:52:30 EDT 2008

Hmm... Yes, I saw the changelog that claims that this protection is in
place. However, I've seen applications that claim to be running:

  Server: Apache/2.2.3 (Unix) mod_ssl/2.2.3 OpenSSL/0.9.8.b DAV/2

That are definitely vulnerable.  I haven't had time to investigate
further. Perhaps a PHP expert can figure out what's going on here?


Jeff Williams, CEO
Aspect Security
work: 410-707-1487
main: 301-604-4882

-----Original Message-----
From: Michael Dreher [mailto:migg at migg.net] 
Sent: Tuesday, April 08, 2008 4:12 AM
To: Jeff Williams; websecurity at webappsec.org
Subject: Re: [WEB SECURITY] Attack Technique: File Download Injection

Hi Jeff,

I would like to note that in PHP since version 4.4.2 / 5.1.2 this  
attack technique will not work as described, because the behaviour of  
the header()-function changed to only allow a single line per  
function call. Injecting a CRLF into the header()-function will  
result in PHP issuing a warning:

Warning: Header may not contain more than a single header, new line  

So it seems that PHP since these versions reached the ideal by not  
allowing CR/LF in its header()-function. But I totally agree with  
your opinion, that you should always verify anything coming from the  
client before using it in your application.

Best Regards,

PS: Since this is my first post on this mailing list, please do not  
hesitate to tell me if I did something wrong. I apologize to  
everybody if this is the case.

On 07.04.2008 21:22 Jeff Williams wrote:
> [...]
> Susceptible header injection vulnerabilities are frequently found in
> file download pages, but could be anywhere a web application uses
> untrusted input in a response header. This type of vulnerability can
> exist in virtually any web application environment, including  
> Java, .NET
> and PHP.
> [...]

Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: 

Subscribe via RSS: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

More information about the websecurity mailing list