[Full-disclosure] Google's Blogger.com classic HTTP response splitting vulnerability

---

• From: Meder Kydyraliev <meder@xxxxxx>
• Date: Wed, 18 Jan 2006 18:50:48 +0800

---

Blogger.com classic HTTP response splitting vulnerability
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

0. Original Advisory
~~~~~~~~~~~~~~~~~~~
http://o0o.nu/~meder/o0o_Blogger_HTTP_response_splitting.txt


I. Background
~~~~~~~~~~~~~

Blogger.com is Google's blogging service.


II. Description
~~~~~~~~~~~~~~~

Blogger's personal page redirection mechanism contains a classic HTTP
response splitting vulnerability in the "Location" HTTP header. The
problem occurs due to use of unsanitized user-supplied data in the
"Location" HTTP header, which enables attacker to inject CRLF(%0d%0a)
characters thus splitting server's response taking full control over
the contents of second HTTP response. Exploitation of the vulnerability
can lead to cross-site scripting (XSS), cache poisioning and phishing
attacks.

The following URL was taking contents of query string and using it in
"Location" HTTP header without proper sanitation:

http://www.blogger.com/r?[URL here]


III. Vendor status
~~~~~~~~~~~~~~~~~~

Vulnerability has been fixed on 13/01/2006


IV. Disclosure timeline
~~~~~~~~~~~~~~~~~~~~~~~

02/01/2006 - Issue discovered. Vendor notified.
02/01/2006 - Initial vendor response.
12/01/2006 - Vendor inquired on status.
13/01/2006 - Vendor response and confirmation that bug fixed.


V. References
~~~~~~~~~~~~~

1. http://www.packetstormsecurity.org/papers/general/whitepaper_httpresponse.pdf


--
http://o0o.nu/~meder
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

---

• Prev by Date: Re: [Full-disclosure] PC Firewall Choices
• Next by Date: [Full-disclosure] Re: Secure Delete for Windows
• Previous by thread: [Full-disclosure] [USN-244-1] Linux kernel vulnerabilities
• Next by thread: [Full-disclosure] ICQ Cross Site Scripting Vulnerability
• Index(es):
  • Date
  • Thread

---

Relevant Pages Technical Note by Amit Klein: Detecting and Preventing HTTP Response Splitting and HTTP Request Smug ... Detecting and Preventing HTTP Response Splitting ... This technique makes use of implicit information ... server, ... (Bugtraq) Googles Blogger.com classic HTTP response splitting vulnerability ... Blogger's personal page redirection mechanism contains a classic HTTP ... response splitting vulnerability in the "Location" HTTP header. ... Vendor notified. ... (Bugtraq) RE: "Divide and Conquer" - cross site response header tampering, cookie manipulation, and ... The attack I described, HTTP ... Response Splitting, ... cookie from their own web server while redirecting to another site. ... so the victim cannot maintain their session) or could be used ... (Bugtraq) Re: XHR Problem on all Browsers -- except IE ... Does this mean that the response text is faulty? ... request objects is supposed to report the HTTP status of a response, and HTTP does not define a status of zero. ... Seeing a status of zero may suggest that the code that sees the 'response' is seeing it outside of an HTTP context. ... However, I am not certain about this as I am still using XML HTTP request handling modulethat I wrote back in 2003, and they sequence things such that they avoid the original issue. ... (comp.lang.javascript) Re: PHP/pear http put method and text/xml? ... As you insisted in a previous posting that the examples serve as documentation, ... When putting it as a binary, the XML ... > And what message appears when you do HTTP PUT with Python or Java? ... > the response when using the PEAR class? ... (comp.lang.php)

---

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint

www.derkeiler.com  > Mailing-Lists  > Full-Disclosure  > 2006-01