ASP.NET Veracode Scanning issues RSS

• • Reply
  

  kaepeekay

  0 Points

  1 Post

  ASP.NET Veracode Scanning issues

  Dec 21, 2012 04:21 AM|LINK

  ur client uses Veracode scanning tool to scan ASP.NET Application.  We have solved many flaws except for the below.
  
  Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Response Splitting')
  (CWE ID 113)(1 flaw) in the line  
  HttpContext.Current.Response.AddHeader("Content-Disposition", contentDisposition);
   
      public static void DownloadFile(string fileName, byte[] dByteData, bool isNoOpen = false)
              {
      
                  byte[] fileContents = new byte[] { };
                  string contentDisposition = string.Empty;
                  fileContents = dByteData;
                  if (string.IsNullOrWhiteSpace(fileName))
                  {
                      return;
                  }
                  fileName = fileName.Replace("\n", "").Replace("\r", "");
                  string contentType = "application/*.".Replace("\n", "").Replace("\r", "");
                  contentDisposition = "attachment; filename=\"" + HttpContext.Current.Server.UrlPathEncode(fileName) + "\"";//While Downloading file - file name comes with junk characters
                  contentDisposition= contentDisposition.Replace("\n", "").Replace("\r", "");
                  HttpContext.Current.Response.Buffer = true;
                  HttpContext.Current.Response.Clear();
                  HttpContext.Current.Response.ClearContent();
                  HttpContext.Current.Response.ClearHeaders();
                  HttpContext.Current.Response.Charset = "";
                  HttpContext.Current.Response.ContentType = contentType;
                  if (isNoOpen)
                  {
                      HttpContext.Current.Response.AddHeader("X-Download-Options", "noopen");
                  }
                  HttpContext.Current.Response.AddHeader("Content-Disposition", contentDisposition);
                  HttpContext.Current.Response.AddHeader("Content-Length", fileContents.Length.ToString());
                  HttpContext.Current.Response.BinaryWrite(fileContents.ToArray());
                  
                  HttpContext.Current.Response.End();
                  HttpContext.Current.Response.Flush();
                  HttpContext.Current.ApplicationInstance.CompleteRequest();
              }
  
  External Control of File Name or Path (CWE ID 73)
  
      if (File.Exists(filePath))
                  {
                      File.Delete(filePath);
                  }
  
  It shows error in File.Delete line.  We have tried sanitizing filepath and also used Path.GetFullpath but to vain only.
  
  

  • Moved by mbanavige on Jan 02, 2013 06:09 PM
• • Reply
  

  shanmugamm

  Participant

  1612 Points

  317 Posts

  Re: ASP.NET Veracode Scanning issues

  Dec 21, 2012 04:49 AM|LINK

  why do you need to pass the ContentDisposition part of your header.

  Here is the descripton of the error

  Including unvalidated data in an HTTP header allows an attacker to specify the entirety of the HTTP response rendered by the browser. When an HTTP request containsunexpected CR (carriage return, also given by %0d or \r) and LF (line feed, also given by %0a or \n) characters the server may respond with an output stream that is interpreted as two different HTTP responses (instead of one). An attacker can control the second response and mount attacks such as cross-site scripting and cache poisoning attacks.

  HTTP response splitting weaknesses may be present when:

  1. Data enters a web application through an untrusted source, most frequently an HTTP request.

  2. The data is included in an HTTP response header sent to a web user without being validated for malicious characters.

     we need avoid passing unwanted data via http header.we should use the alternate approach

  My Blog
  http://shanmugam-netguru.blogspot.com
  Follow me in Linkedin