Calibre Content Server HTTP Response Header Injection Vulnerability

A HTTP response header injection vulnerability has been identified in the Calibre Content Server, affecting versions prior to 9.4.0. This vulnerability allows authenticated users to inject arbitrary HTTP headers into server responses. The issue arises from the 'content_disposition' query parameter in the '/get/' and '/data-files/get/' endpoints, which is not properly sanitized before being included in the 'Content-Disposition' HTTP response header. The vulnerability can be exploited by any authenticated user and has the potential to impact all users with authentication enabled.

Impact

Exploitation of this vulnerability allows for HTTP response header injection, which can lead to response splitting. This could enable cross-site scripting (XSS) by injecting a 'Content-Type: text/html' header with malicious HTML, executing JavaScript in the context of the victim's browser. Additionally, it could facilitate session fixation by injecting 'Set-Cookie' headers to control session cookies in the victim's browser. If the Calibre server is behind a caching reverse proxy, injected headers could poison cached responses, affecting other users.

Reproduction

To reproduce this vulnerability, first start the Calibre Content Server with authentication enabled. After authenticating, send a GET request to the '/get/' endpoint, including a crafted 'content_disposition' query parameter that injects additional headers such as 'X-Injected' and 'Set-Cookie'. The response will reflect the injected headers, demonstrating the successful exploitation of the vulnerability.

Remediation

Users can upgrade to Calibre version 9.4.0 or later, where this vulnerability has been fixed.