[Full-disclosure] Google's Blogger.com classic HTTP response splitting vulnerability
- From: Meder Kydyraliev <meder@xxxxxx>
- Date: Wed, 18 Jan 2006 18:50:48 +0800
Blogger.com classic HTTP response splitting vulnerability
0. Original Advisory
Blogger.com is Google's blogging service.
Blogger's personal page redirection mechanism contains a classic HTTP
response splitting vulnerability in the "Location" HTTP header. The
problem occurs due to use of unsanitized user-supplied data in the
"Location" HTTP header, which enables attacker to inject CRLF(%0d%0a)
characters thus splitting server's response taking full control over
the contents of second HTTP response. Exploitation of the vulnerability
can lead to cross-site scripting (XSS), cache poisioning and phishing
The following URL was taking contents of query string and using it in
"Location" HTTP header without proper sanitation:
III. Vendor status
Vulnerability has been fixed on 13/01/2006
IV. Disclosure timeline
02/01/2006 - Issue discovered. Vendor notified.
02/01/2006 - Initial vendor response.
12/01/2006 - Vendor inquired on status.
13/01/2006 - Vendor response and confirmation that bug fixed.
Full-Disclosure - We believe in it.
Hosted and sponsored by Secunia - http://secunia.com/
- Prev by Date: Re: [Full-disclosure] PC Firewall Choices
- Next by Date: [Full-disclosure] Re: Secure Delete for Windows
- Previous by thread: [Full-disclosure] [USN-244-1] Linux kernel vulnerabilities
- Next by thread: [Full-disclosure] ICQ Cross Site Scripting Vulnerability