lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20060118105048.GA7330@localhost>
Date: Wed, 18 Jan 2006 18:50:48 +0800
From: Meder Kydyraliev <meder@....nu>
To: full-disclosure@...ts.grok.org.uk
Cc: bugtraq@...urityfocus.com
Subject: Google's Blogger.com classic HTTP response
	splitting vulnerability



        Blogger.com classic HTTP response splitting vulnerability
        ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

0. Original Advisory
~~~~~~~~~~~~~~~~~~~
http://o0o.nu/~meder/o0o_Blogger_HTTP_response_splitting.txt


I. Background
~~~~~~~~~~~~~

Blogger.com is Google's blogging service.


II. Description
~~~~~~~~~~~~~~~

Blogger's personal page redirection mechanism contains a classic HTTP
response splitting vulnerability in the "Location" HTTP header. The
problem occurs due to use of unsanitized user-supplied data in the
"Location" HTTP header, which enables attacker to inject CRLF(%0d%0a)
characters thus splitting server's response taking full control over
the contents of second HTTP response. Exploitation of the vulnerability
can lead to cross-site scripting (XSS), cache poisioning and phishing
attacks.

The following URL was taking contents of query string and using it in
"Location" HTTP header without proper sanitation:

http://www.blogger.com/r?[URL here]


III. Vendor status 
~~~~~~~~~~~~~~~~~~

Vulnerability has been fixed on 13/01/2006


IV. Disclosure timeline
~~~~~~~~~~~~~~~~~~~~~~~

02/01/2006 - Issue discovered. Vendor notified.
02/01/2006 - Initial vendor response.
12/01/2006 - Vendor inquired on status.
13/01/2006 - Vendor response and confirmation that bug fixed.


V. References
~~~~~~~~~~~~~

1. http://www.packetstormsecurity.org/papers/general/whitepaper_httpresponse.pdf


-- 
http://o0o.nu/~meder
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ