CVE-2022-37240: HTTP Response splitting through ‘format’ parameter

Description

On June 05, the security team of Green Tick Nepal Pvt. Ltd. located in Kathmandu, Nepal discovered that MDaemon Technologies SecurityGateway for Email Servers 8.5.2 is vulnerable to HTTP Response splitting via the format parameter.

Proof of Concept

The Security Team of Green Tick Nepal Pvt. Ltd. published a Proof of Concept (POC) for MDaemon Technologies. The vulnerability was found in MDaemon SecurityGateway for Email Servers 8.5.2. The HTTP response Splitting occurs when a web server fails to sanitize CR and LF characters before the data is included in outgoing HTTP headers. The vulnerability allows the attacker to set arbitrary headers, take control of the body, or break the response into two or more separate responses. Impacts depend on the technological stack, with outcomes including Cross-Site Scripting, Cookie Injection, CORS Headers Injection, CSP Bypass, Cache Poisoning attacks, and many others.

Solution

As with other similar injection attacks, HTTP Response Splitting can be mitigated by performing appropriate server-side validation and escaping. The canonical ways are the following:
- Carefully validate and sanitize any user-provided content that might be used to compose response headers.
- Encode dangerous characters such as \r and \n.

CVE-ID	Description	Products
CVE-2022-37240	MDaemon Technologies SecurityGateway for Email Servers 8.5.2 is vulnerable to HTTP Response splitting via the format parameter.	MDaemon Technologies SecurityGateway for Email Servers 8.5.2