[Full-disclosure] Google's Blogger.com classic HTTP response splitting vulnerability




Blogger.com classic HTTP response splitting vulnerability
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

0. Original Advisory
~~~~~~~~~~~~~~~~~~~
http://o0o.nu/~meder/o0o_Blogger_HTTP_response_splitting.txt


I. Background
~~~~~~~~~~~~~

Blogger.com is Google's blogging service.


II. Description
~~~~~~~~~~~~~~~

Blogger's personal page redirection mechanism contains a classic HTTP
response splitting vulnerability in the "Location" HTTP header. The
problem occurs due to use of unsanitized user-supplied data in the
"Location" HTTP header, which enables attacker to inject CRLF(%0d%0a)
characters thus splitting server's response taking full control over
the contents of second HTTP response. Exploitation of the vulnerability
can lead to cross-site scripting (XSS), cache poisioning and phishing
attacks.

The following URL was taking contents of query string and using it in
"Location" HTTP header without proper sanitation:

http://www.blogger.com/r?[URL here]


III. Vendor status
~~~~~~~~~~~~~~~~~~

Vulnerability has been fixed on 13/01/2006


IV. Disclosure timeline
~~~~~~~~~~~~~~~~~~~~~~~

02/01/2006 - Issue discovered. Vendor notified.
02/01/2006 - Initial vendor response.
12/01/2006 - Vendor inquired on status.
13/01/2006 - Vendor response and confirmation that bug fixed.


V. References
~~~~~~~~~~~~~

1. http://www.packetstormsecurity.org/papers/general/whitepaper_httpresponse.pdf


--
http://o0o.nu/~meder
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/



Relevant Pages

  • Technical Note by Amit Klein: Detecting and Preventing HTTP Response Splitting and HTTP Request Smug
    ... Detecting and Preventing HTTP Response Splitting ... This technique makes use of implicit information ... server, ...
    (Bugtraq)
  • Googles Blogger.com classic HTTP response splitting vulnerability
    ... Blogger's personal page redirection mechanism contains a classic HTTP ... response splitting vulnerability in the "Location" HTTP header. ... Vendor notified. ...
    (Bugtraq)
  • RE: "Divide and Conquer" - cross site response header tampering, cookie manipulation, and
    ... The attack I described, HTTP ... Response Splitting, ... cookie from their own web server while redirecting to another site. ... so the victim cannot maintain their session) or could be used ...
    (Bugtraq)
  • Re: XHR Problem on all Browsers -- except IE
    ... Does this mean that the response text is faulty? ... request objects is supposed to report the HTTP status of a response, and HTTP does not define a status of zero. ... Seeing a status of zero may suggest that the code that sees the 'response' is seeing it outside of an HTTP context. ... However, I am not certain about this as I am still using XML HTTP request handling modulethat I wrote back in 2003, and they sequence things such that they avoid the original issue. ...
    (comp.lang.javascript)
  • Re: two threads
    ... The reason for this is that you are getting a SqlException, which indicates that the command is timing out. ... you should set the CommandTimeout property on the SqlCommand you are executing to a value that will be reasonable for the operation you are performing. ... What i need to know is how can i run a seperate thread, return http ... response to the user, and allso how to check if the thread is ...
    (microsoft.public.dotnet.languages.csharp)