HTTP Response Splitting Vulnerability Help!

[John C]

Hi All,

We have a site failing PCI for a HTTP Response Splitting Vulnerability.

Here's an obfuscated version of the test URL:
http://florist.mysite.com/WHS X-Resp: Split.php

When called, we receive the following response headers.

HTTP/1.0 301 Moved Permanently
Content-Type: text/html
Content-Length: 1147
Date: Tue, 16 Aug 2016 01:51:57 GMT
Accept-Ranges: bytes
Location: https://florist.mysite.com/WHS
X-Resp: Split.php
Connection: close

HTTP/1.0 404 Not Found
Cache-Control: private, no-cache, no-store, must-revalidate, max-age=0
Pragma: no-cache
Content-Type: text/html
Content-Length: 1148
Date: Tue, 16 Aug 2016 01:51:57 GMT
Accept-Ranges: bytes
Strict-Transport-Security: max-age=31536000
Connection: close

Notice that the "X-Resp" header gets injected into the initial 301 request. That's the vulnerability.

We tried enabling OWASP rules in MOD_SECURITY for CRS-REQUEST-21-PROTOCOL-ATTACK, but the issue still persists.

https://documentation.cpanel.net/di...WASPModSecurityCRS-REQUEST-21-PROTOCOL-ATTACK

I have read that some MODSEC rules are not compatible with LiteSpeed, so not sure if that's the issue.
Just wondering if there are any suggestions on this. We have many hours invested on this so far.
Thanks for any assistance.

John

 

[Pong]

Most of OWASP rules support LiteSpeed. For unsupported rules, it should prompt some message in error log.

Comodo has rules set for different servers. Check litespeed one to see if there is something covering the issue.

 

[John C]

Thanks Pong. I have read many forums that indicate there are some OWASP rules that will not work with LiteSpeed and show no error in the modsec logs. I tried all relevant COMODO rules but none of them intercept this attack and none of them generate a log entry. Any other suggestions?

Thanks again.

John