Hi All,
We have a site failing PCI for a HTTP Response Splitting Vulnerability.
Here's an obfuscated version of the test URL:
http://florist.mysite.com/WHS X-Resp: Split.php
When called, we receive the following response headers.
HTTP/1.0 301 Moved Permanently
Content-Type: text/html
Content-Length: 1147
Date: Tue, 16 Aug 2016 01:51:57 GMT
Accept-Ranges: bytes
Location: https://florist.mysite.com/WHS
X-Resp: Split.php
Connection: close
HTTP/1.0 404 Not Found
Cache-Control: private, no-cache, no-store, must-revalidate, max-age=0
Pragma: no-cache
Content-Type: text/html
Content-Length: 1148
Date: Tue, 16 Aug 2016 01:51:57 GMT
Accept-Ranges: bytes
Strict-Transport-Security: max-age=31536000
Connection: close
Notice that the "X-Resp" header gets injected into the initial 301 request. That's the vulnerability.
We tried enabling OWASP rules in MOD_SECURITY for CRS-REQUEST-21-PROTOCOL-ATTACK, but the issue still persists.
https://documentation.cpanel.net/di...WASPModSecurityCRS-REQUEST-21-PROTOCOL-ATTACK
I have read that some MODSEC rules are not compatible with LiteSpeed, so not sure if that's the issue.
Just wondering if there are any suggestions on this. We have many hours invested on this so far.
Thanks for any assistance.
John
We have a site failing PCI for a HTTP Response Splitting Vulnerability.
Here's an obfuscated version of the test URL:
http://florist.mysite.com/WHS X-Resp: Split.php
When called, we receive the following response headers.
HTTP/1.0 301 Moved Permanently
Content-Type: text/html
Content-Length: 1147
Date: Tue, 16 Aug 2016 01:51:57 GMT
Accept-Ranges: bytes
Location: https://florist.mysite.com/WHS
X-Resp: Split.php
Connection: close
HTTP/1.0 404 Not Found
Cache-Control: private, no-cache, no-store, must-revalidate, max-age=0
Pragma: no-cache
Content-Type: text/html
Content-Length: 1148
Date: Tue, 16 Aug 2016 01:51:57 GMT
Accept-Ranges: bytes
Strict-Transport-Security: max-age=31536000
Connection: close
Notice that the "X-Resp" header gets injected into the initial 301 request. That's the vulnerability.
We tried enabling OWASP rules in MOD_SECURITY for CRS-REQUEST-21-PROTOCOL-ATTACK, but the issue still persists.
https://documentation.cpanel.net/di...WASPModSecurityCRS-REQUEST-21-PROTOCOL-ATTACK
I have read that some MODSEC rules are not compatible with LiteSpeed, so not sure if that's the issue.
Just wondering if there are any suggestions on this. We have many hours invested on this so far.
Thanks for any assistance.
John