[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <Pine.LNX.4.44.0504151948510.3279-100000@bugsbunny.castlecops.com>
Date: Fri, 15 Apr 2005 19:58:01 -0400 (EDT)
From: Paul Laudanski <zx@...tlecops.com>
To: JeiAr <security@...ftech.org>
Cc: vuln@...unia.com, news@...uriteam.com,
full-disclosure@...ts.grok.org.uk, bugs@...uritytracker.com,
bugtraq@...urityfocus.com, vulndiscuss@...nwatch.org,
moderators@...db.org
Subject: Re: Http Response Splitting Vulnerability In
PHP-NUKE 7.6 and below
Technically http response splitting occurs when a web application fails to
reject illegal input such as the CR and LF characters. PHP-Nuke's
mainfile.php has had the following function in it:
function removecrlf($str) {
return strtr($str, "\015\012", ' ');
}
So the power is there to stop it, but it isn't being used.
It should be called more frequently on user input validation. However, a
one stop shop would be to install mod_security with the appropriate
filters. It won't just protect a webapp like php-nuke or postnuke, it'll
protect all the pages accessible via Apache.
However, $forwarder should only accept URLs, and nothing more in this
example. As such, there ought to be a whitelist of characters that are
approved for input specific to URLs.
But when it comes to CRLFs, I can't see anything at the moment why they
ought to be whitelisted.
On 15 Apr 2005, JeiAr wrote:
> In-Reply-To: <20050416033018.9721.qmail@....securityfocus.com>
>
> "Possible Fixes: The usage of htmlspeacialchars(), mysql_escape_string(), mysql_real_escape_string()
> and other functions for input validation before passing user input
> to the mysql database, or before echoing data on the screen, would solve these
> problems."
>
> The htmlspecialchars() would most definately keep the html code from being rendered, but would it really fix http response splitting?
>
> Maybe something like this would work better?
>
> $location = str_replace('\n', '', urldecode($location));
> $location = str_replace('\r', '', urldecode($location));
> $location = str_replace('&', '&', htmlspecialchars($location));
>
> James
>
>
> >Dcrab 's Security Advisory
> >[Hsc Security Group] http://www.hackerscenter.com/
> >[dP Security] http://digitalparadox.org/
> >
> >Get Dcrab's Services to audit your Web servers, scripts, networks, etc. Learn more at http://www.digitalparadox.org/services.ah
> >
> >Severity: High
> >Title: Http Response Splitting Vulnerability In PHP-NUKE 7.6 and below
> >Date: 15/04/2005
> >
> >Vendor: Php-Nuke
> >Vendor Website: http://www.phpnuke.org
> >Summary: There are, http response splitting vulnerability in php-nuke 7.6 and below.
--
Sincerely,
Paul Laudanski .. Computer Cops, LLC.
Microsoft MVP Windows-Security 2005
CastleCops(SM)... http://castlecops.com
CC Blog ......... http://blog.castlecops.com
Staff Blogs ..... http://busterbunny.castlecops.com
Our Vision ...... http://castlecops.com/postt63382.html
http://cuddlesnkisses.com http://justalittlepoke.com http://zhen-xjell.com
________ Information from Computer Cops, L.L.C. ________
This message was checked by NOD32 Antivirus System for Linux Mail Server.
part000.txt - is OK
http://castlecops.com
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists