CRLF Injection · HTTP Response Splitting · cPanel/WHM

Is your cPanel server vulnerable to CRLF injection?

Check in seconds if your cPanel/WHM installation allows CRLF (Carriage Return Line Feed) injection at the /login/?user= endpoint. Non-destructive test, instant result, remediation plan included.

Vulnerability Scanner

CRLF test on /login/?user=
TECHNICAL INFORMATION

About the CRLF vulnerability

Everything you need to know about this injection and how to protect your server

What is CRLF Injection?

Allows an attacker to inject carriage return and line feed characters (\r\n) into HTTP headers. Enables response manipulation, session hijacking, cache poisoning and reflected XSS.

Attack vector

The user parameter in the /login/ endpoint does not properly filter encoded %0D%0A characters, allowing an attacker to introduce arbitrary HTTP headers in the server response.

How to protect

Update cPanel/WHM to the latest version immediately. Implement a WAF with control character filtering, configure strict security headers and monitor server logs regularly.

FREQUENTLY ASKED QUESTIONS

Everything about CRLF vulnerability in cPanel

Answers to common questions about CRLF injection, detection and remediation

What is the CRLF vulnerability in cPanel?
CRLF (Carriage Return Line Feed) injection in cPanel/WHM allows an attacker to insert encoded %0D%0A characters in HTTP parameters, mainly in the /login/?user= endpoint. This enables response header manipulation, reflected XSS attacks, web cache poisoning, and administrative session hijacking. Also known as HTTP Response Splitting.
How do I know if my cPanel server is vulnerable to CRLF?
Use this free scanner: enter your cPanel server URL (port 2083) or WHM (port 2087) and click Scan. The test injects an innocuous control header X-Vulnerable-Test:YES. If the server reflects it in its HTTP response, it is vulnerable to CRLF injection and must be patched immediately.
Does the CRLF test damage my cPanel server?
No. The test is completely non-destructive: it only injects a test HTTP header to verify if the server processes it improperly. It does not modify configurations, create files, consume significant resources, or require authentication. It is equivalent to a normal HTTP request with a special parameter.
Which versions of cPanel and WHM are affected?
The vulnerability affects versions of cPanel/WHM that have not received the corresponding security patch. Check your version with /usr/local/cpanel/cpanel -V from SSH and consult the official cPanel changelog to confirm if your build includes the CRLF injection fix. LTS tier builds without updates are most exposed.
How do I patch the CRLF vulnerability in cPanel?
The fastest way is to update cPanel/WHM to the latest version by running /scripts/upcp --force from SSH as root. As temporary mitigation, you can add ModSecurity rules that block %0D%0A sequences in URIs and arguments. This tool automatically generates a complete remediation plan with copyable commands when it detects vulnerability.
Does the scanner work with WHM as well as cPanel?
Yes. WHM typically runs on port 2087 (SSL) or 2086 (non-SSL), while cPanel uses 2083 (SSL) or 2082 (non-SSL). Enter the URL including the port, for example https://your-server.com:2087. The CRLF test applies to the underlying login module (cpsrvd) shared by cPanel and WHM.
Is it legal to use this scanner against other servers?
No. In most jurisdictions (Computer Fraud and Abuse Act in the US, Budapest Convention in Europe, local cybercrime laws) testing systems without explicit owner authorization is illegal and may carry prison sentences. This tool requires authorization confirmation before running the test and is designed solely for auditing your own servers.
Are my tests logged anywhere?
The tool does not store tested URLs in databases. Rate limiting uses only temporary PHP sessions. However, the target server does log the request in its own access logs (/usr/local/apache/logs/access_log), like any normal HTTP request. This is expected in a legitimate audit.
PROFESSIONAL SUPPORT

Need help patching your server?

Audit, urgent patching and professional hardening by a sysadmin with 12+ years of experience in cPanel/WHM, server security and VoIP infrastructure. Free quote in less than 24 hours, no commitments.

12+ years of experience
500+ servers secured
<24h response time
NDA total confidentiality

Contact directly

No intermediaries, no forms. Personal response to your inquiry.

Send Email WhatsApp

Legal Notice and Ethical Use

This tool is designed exclusively for system administrators to verify their own servers or those they have explicit authorization for. Unauthorized use against third-party systems may constitute a crime under laws such as the Computer Fraud and Abuse Act (CFAA) in the US, the Budapest Convention on cybercrime or local equivalents. The test performed is non-destructive: it only verifies the reflection of an innocuous test header and does not compromise the system. You are fully responsible for the use you give to this tool.