viewLinc 5.1.2.367 - Carriage Return Line Feed Attack

What is the "viewLinc 5.1.2.367 - Carriage Return Line Feed Attack?"

The "viewLinc 5.1.2.367 - Carriage Return Line Feed Attack" module is designed to detect a vulnerability in the viewLinc software version 5.1.2.367 (and sometimes 5.1.1.50). This vulnerability allows remote attackers to inject a carriage return line feed (CRLF) character into the responses returned by the product, enabling them to inject arbitrary HTTP headers into the response.

This module has a low severity level and was authored by geeknik.

Impact

If successfully exploited, this vulnerability can allow attackers to manipulate the HTTP response headers, potentially leading to various security issues such as session hijacking, cross-site scripting (XSS), or other forms of injection attacks.

How does the module work?

The module sends an HTTP GET request with a specific payload to the target server. The payload includes the following header injection attempt:

/%0ASet-Cookie:crlfinjection=crlfinjection

The module then checks the response headers for specific conditions to determine if the injection was successful. The matching conditions include:

- The presence of the header "Server: viewLinc/5.1.2.367" and "Set-Cookie: crlfinjection=crlfinjection" - Alternatively, the presence of the header "Server: viewLinc/5.1.1.50" and "Set-Cookie: crlfinjection=crlfinjection"

If any of these conditions are met, the module reports a vulnerability.

Reference: https://www