You may see following as a sample:
WebCalendar CRLF Injection Vulnerability
I. BACKGROUND
WebCalendar is a PHP application used to maintain a calendar for one
or more persons and for a variety of purposes.
II. DESCRIPTION
CRLF injection vulnerability in WebCalendar layers_toggle.php allows
remote attackers to inject false HTTP headers into an HTTP request,
via a URL containing encoded carriage return, line feed, and other
whitespace characters.
III. PUBLISH DATE
Publish Date: 2005-12-1
Update Date: 2005-12-2
IV. AUTHOR
lwang (lwang at lwang dot org)
V. AFFECTED SOFTWARE
WebCalendar version 1.0.1 and 1.1.0 are affected. Older versions are
not verified.
VI. ANALYSIS
in layers_toggle.php, parameter $ret does not validation.
if ( empty ( $error ) ) {
// Go back to where we where if we can figure it out.
if ( strlen ( $ret ) )
do_redirect ( $ret );
else if ( ! empty ( $HTTP_REFERER ) )
do_redirect ( $HTTP_REFERER );
else
send_to_preferred_view ();
Proof of Concept:
http://victim/webcalendar/layers_toggle.php?status=on&ret=[url_redirect_to]
VII. SOLUTION
Input validation will fix the bug.
VIII. ADVISORY
http://vd.lwang.org/webcalendar_crlf_injection.txt
IX. REFERENCE
http://www.k5n.us/webcalendar.php
2006/5/23, Pete Soderling <pete@techsmartgroup.com>:
Hey all,
I'm interested if anyone has any sample appsec vulnerability reports to
share. I'm interested in learning/evaluating the best ways to report on
vulnerabilities to a client, and it would be helpful to see different ways
others have done it. Obviously, I'm not interested in - and don't want these
to contain any client-specific or sensitive info - but if anyone has any
appropriate documentation to share it would be helpful.
Also appreciated would be links to any other online projects dealing with
this - although I haven't found much yet. I know OWASP has a PenTest
Reporter tool in the works that would fall into this category, although it
doesn't look like it's been officially released yet.
Thanks for any help or suggestions.
cheers,
--pete
-------------------------------------------------------------------------
Sponsored by: Watchfire
Watchfire named worldwide market share leader in web application security
assessment by leading market research firm. Watchfire's AppScan is the
industry's first and leading web application security testing suite, and
the only solution to provide comprehensive remediation tasks at every
level of the application. See for yourself.
Download a Free Trial of AppScan 6.0 today!
https://www.watchfire.com/securearea/appscansix.aspx?id=701300000007t9c
--------------------------------------------------------------------------
--
Homepage: http://www.lwang.org
mailto:abryson@bytefocus.com
-------------------------------------------------------------------------
Sponsored by: Watchfire
Watchfire named worldwide market share leader in web application security
assessment by leading market research firm. Watchfire's AppScan is the
industry's first and leading web application security testing suite, and
the only solution to provide comprehensive remediation tasks at every
level of the application. See for yourself.
Download a Free Trial of AppScan 6.0 today!
https://www.watchfire.com/securearea/appscansix.aspx?id=701300000007t9c
--------------------------------------------------------------------------
