libsoup Content-Type Header CRLF Injection Vulnerability Allowing HTTP Header Injection and Response Splitting

A CRLF injection vulnerability has been identified in libsoup, specifically in the 'soup_message_headers_set_content_type()' function. This issue arises from inadequate input sanitization, allowing an attacker to inject a Carriage Return Line Feed (CRLF) sequence into the Content-Type header. The vulnerability enables the injection of arbitrary header-value pairs, which could be exploited for HTTP header injection and response splitting attacks.

Impact

Exploitation of this vulnerability allows for HTTP header injection and response splitting, with the potential to inject arbitrary headers into the HTTP response.

Reproduction

The vulnerability can be reproduced by using the 'soup_message_headers_set_content_type()' function to set a Content-Type header value that includes a CRLF sequence. This can be done by calling the function with a crafted header value that contains the injection. Once the header is set, the HTTP request or response can be sent, demonstrating that the injected header value has been successfully inserted.

Remediation

Users are advised to update to a version of libsoup that addresses this vulnerability. The recommended solution is to use the 'soup_message_headers_append()' function instead of 'soup_message_headers_append_common()' when setting the Content-Type header.