https://community.qlik.com/t5/QlikView/Qlikvew-Webserver-CRLF-injection-HTTP-response-splitting/m-p/705146#M1263376 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>From my understanding the CRLF characters are not integrated by the server in the response, and is never understood by the browser as a header.</P><P></P><P>Bill</P></BODY></HTML> Tue, 26 May 2015 11:53:04 GMT Bill_Britt 2015-05-26T11:53:04Z https://community.qlik.com/t5/QlikView/Qlikvew-Webserver-CRLF-injection-HTTP-response-splitting/m-p/705142#M1263370 <HTML><HEAD></HEAD><BODY><P>I've tried to look for a solution for this issue, but my experience is limited.</P><P>I'm -still- using QV 11.0.11282.0</P><P></P><P>Any help would be appreciated</P></BODY></HTML> Mon, 26 Jan 2026 18:19:17 GMT https://community.qlik.com/t5/QlikView/Qlikvew-Webserver-CRLF-injection-HTTP-response-splitting/m-p/705142#M1263370 2026-01-26T18:19:17Z https://community.qlik.com/t5/QlikView/Qlikvew-Webserver-CRLF-injection-HTTP-response-splitting/m-p/705143#M1263373 <HTML><HEAD></HEAD><BODY><P>Hugo,</P><P></P><P>This is reported in bug # 64659 and close as "obsolete" for the following reason( according R&amp;D):</P><P>" The reported security vulnerability is a false-positive. It is true that the test string “SomeCustomInjectedHeader: injected” is returned by the server, but the CRLF characters are not integrated by the server in the response, and as a consequence the test string is never interpreted by the receiving browser as a header."</P><P></P><P>As always to be safe, implement SSL and V11.00 SR1 is really old and not longer patchable for that upgrade to V11.20 SR7. </P></BODY></HTML> Fri, 18 Jul 2014 18:47:39 GMT https://community.qlik.com/t5/QlikView/Qlikvew-Webserver-CRLF-injection-HTTP-response-splitting/m-p/705143#M1263373 Giuseppe_Novello 2014-07-18T18:47:39Z https://community.qlik.com/t5/QlikView/Qlikvew-Webserver-CRLF-injection-HTTP-response-splitting/m-p/705144#M1263374 <HTML><HEAD></HEAD><BODY><P>Grazie Giuseppe!</P><P></P><P>Exactly the answer I was hoping for. I'll work now with my superiors to upgrade my QV</P><P></P><P>Thanks again</P></BODY></HTML> Fri, 18 Jul 2014 20:16:30 GMT https://community.qlik.com/t5/QlikView/Qlikvew-Webserver-CRLF-injection-HTTP-response-splitting/m-p/705144#M1263374 2014-07-18T20:16:30Z https://community.qlik.com/t5/QlikView/Qlikvew-Webserver-CRLF-injection-HTTP-response-splitting/m-p/705145#M1263375 <HTML><HEAD></HEAD><BODY><P>Hi Giuseppe,</P><P></P><P>May I ask something about security vulnerability caused by HTTP header injection?</P><P></P><P>What I'd like to ask you is whether <SPAN style="font-size: 10pt; line-height: 1.5em;">we can avoid any security vulnerability caused by HTTP header injection because QlikView doesn't integrate the CRLF characters in the response.</SPAN></P><P></P><P>Many thanks,</P><P>Miki Eto</P></BODY></HTML> Mon, 25 May 2015 06:23:08 GMT https://community.qlik.com/t5/QlikView/Qlikvew-Webserver-CRLF-injection-HTTP-response-splitting/m-p/705145#M1263375 Anonymous 2015-05-25T06:23:08Z https://community.qlik.com/t5/QlikView/Qlikvew-Webserver-CRLF-injection-HTTP-response-splitting/m-p/705146#M1263376 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>From my understanding the CRLF characters are not integrated by the server in the response, and is never understood by the browser as a header.</P><P></P><P>Bill</P></BODY></HTML> Tue, 26 May 2015 11:53:04 GMT https://community.qlik.com/t5/QlikView/Qlikvew-Webserver-CRLF-injection-HTTP-response-splitting/m-p/705146#M1263376 Bill_Britt 2015-05-26T11:53:04Z https://community.qlik.com/t5/QlikView/Qlikvew-Webserver-CRLF-injection-HTTP-response-splitting/m-p/705147#M1263377 <HTML><HEAD></HEAD><BODY><P>Thanks, Bill.</P></BODY></HTML> Wed, 27 May 2015 03:13:56 GMT https://community.qlik.com/t5/QlikView/Qlikvew-Webserver-CRLF-injection-HTTP-response-splitting/m-p/705147#M1263377 Anonymous 2015-05-27T03:13:56Z