Skip to main content
Announcements
Global Transformation Awards! Applications are now open. Submit Entry
cancel
Showing results for 
Search instead for 
Did you mean: 
Not applicable

Qlikvew Webserver - CRLF injection/HTTP response splitting

I've tried to look for a solution for this issue, but my experience is limited.

I'm -still- using QV 11.0.11282.0

Any help would be appreciated

Labels (1)
5 Replies
Giuseppe_Novello

Hugo,

This is reported in bug # 64659 and close as "obsolete" for the following reason( according R&D):

" The reported security vulnerability is a false-positive. It is true that the test string “SomeCustomInjectedHeader: injected” is returned by the server, but the CRLF characters are not integrated by the server in the response, and as a consequence the test string is never interpreted by the receiving browser as a header."

As always to be safe, implement SSL and V11.00 SR1 is really old and not longer patchable for that upgrade to V11.20 SR7.

Giuseppe Novello
Principal Technical Support Engineer @ Qlik
Not applicable
Author

Grazie Giuseppe!

Exactly the answer I was hoping for. I'll work now with my superiors to upgrade my QV

Thanks again

Anonymous
Not applicable
Author

Hi Giuseppe,

May I ask something about security vulnerability caused by HTTP header injection?

What I'd like to ask you is whether we can avoid any security vulnerability caused by HTTP header injection because QlikView doesn't integrate the CRLF characters in the response.

Many thanks,

Miki Eto

Bill_Britt
Former Employee
Former Employee

Hi,

From my understanding the CRLF characters are not integrated by the server in the response, and is never understood by the browser as a header.

Bill

Bill - Principal Technical Support Engineer at Qlik
To help users find verified answers, please don't forget to use the "Accept as Solution" button on any posts that helped you resolve your problem or question.
Anonymous
Not applicable
Author

Thanks, Bill.