Skip to main content

Qlik

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Announcements
Join us at Qlik Connect for 3 magical days of learning, networking,and inspiration! REGISTER TODAY and save!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Not applicable
‎2014-07-18 11:33 AM

Qlikvew Webserver - CRLF injection/HTTP response splitting

I've tried to look for a solution for this issue, but my experience is limited.

I'm -still- using QV 11.0.11282.0

Any help would be appreciated

Labels (1)
Labels
1,445 Views
0 Likes
5 Replies
Giuseppe_Novello
Support
Support
‎2014-07-18 02:47 PM

Hugo,

This is reported in bug # 64659 and close as "obsolete" for the following reason( according R&D):

" The reported security vulnerability is a false-positive. It is true that the test string “SomeCustomInjectedHeader: injected” is returned by the server, but the CRLF characters are not integrated by the server in the response, and as a consequence the test string is never interpreted by the receiving browser as a header."

As always to be safe, implement SSL and V11.00 SR1 is really old and not longer patchable for that upgrade to V11.20 SR7.

Giuseppe Novello
Principal Technical Support Engineer @ Qlik
884 Views
0 Likes
Not applicable
‎2014-07-18 04:16 PM
Author

In response to Giuseppe_Novello

Grazie Giuseppe!

Exactly the answer I was hoping for. I'll work now with my superiors to upgrade my QV

Thanks again

884 Views
Anonymous
Not applicable
‎2015-05-25 02:23 AM
Author

In response to Giuseppe_Novello

Hi Giuseppe,

May I ask something about security vulnerability caused by HTTP header injection?

What I'd like to ask you is whether we can avoid any security vulnerability caused by HTTP header injection because QlikView doesn't integrate the CRLF characters in the response.

Many thanks,

Miki Eto

884 Views
0 Likes
Bill_Britt
Former Employee
Former Employee
‎2015-05-26 07:53 AM

In response to Anonymous

Hi,

From my understanding the CRLF characters are not integrated by the server in the response, and is never understood by the browser as a header.

Bill

Bill - Principal Technical Support Engineer at Qlik
To help users find verified answers, please don't forget to use the "Accept as Solution" button on any posts that helped you resolve your problem or question.
884 Views
Anonymous
Not applicable
‎2015-05-26 11:13 PM
Author

In response to Bill_Britt

Thanks, Bill.

884 Views
0 Likes