Qlik Community

QlikView Deployment

Discussion Board for collaboration related to QlikView Deployment.

Not applicable

Qlikvew Webserver - CRLF injection/HTTP response splitting

I've tried to look for a solution for this issue, but my experience is limited.

I'm -still- using QV 11.0.11282.0

Any help would be appreciated

Labels (1)
5 Replies
gno
Valued Contributor II

Re: Qlikvew Webserver - CRLF injection/HTTP response splitting

Hugo,

This is reported in bug # 64659 and close as "obsolete" for the following reason( according R&D):

" The reported security vulnerability is a false-positive. It is true that the test string “SomeCustomInjectedHeader: injected” is returned by the server, but the CRLF characters are not integrated by the server in the response, and as a consequence the test string is never interpreted by the receiving browser as a header."

As always to be safe, implement SSL and V11.00 SR1 is really old and not longer patchable for that upgrade to V11.20 SR7.

Not applicable

Re: Qlikvew Webserver - CRLF injection/HTTP response splitting

Grazie Giuseppe!

Exactly the answer I was hoping for. I'll work now with my superiors to upgrade my QV

Thanks again

iet
New Contributor

Re: Qlikvew Webserver - CRLF injection/HTTP response splitting

Hi Giuseppe,

May I ask something about security vulnerability caused by HTTP header injection?

What I'd like to ask you is whether we can avoid any security vulnerability caused by HTTP header injection because QlikView doesn't integrate the CRLF characters in the response.

Many thanks,

Miki Eto

Employee
Employee

Re: Qlikvew Webserver - CRLF injection/HTTP response splitting

Hi,

From my understanding the CRLF characters are not integrated by the server in the response, and is never understood by the browser as a header.

Bill

iet
New Contributor

Re: Qlikvew Webserver - CRLF injection/HTTP response splitting

Thanks, Bill.