Next Page >>
HTTP Response Splitting
Apache mod_negotiation Xss and Http Response Splitting
Date: January 22th, 2008
Tested Versions: Apache <=1.3.39
<= 2.0.61
<= 2.2.6
Minded Security ReferenceID:
MSA01150108
- Table of Contents -
OPENNMS MULTIPLE VULNERABILITIES 1
Vendor 3
Application Description 3
OpenNMS HTTP Response Splitting Vulnerability 3
Vulnerability Information 3
Vulnerability Details 3
Proof-of-Concept 4
OpenNMS Cross-Site Scripting Vulnerabilities 5
Vulnerability Information 5
Hash: SHA1
Core Security Technologies - CoreLabs Advisory
http://www.coresecurity.com/corelabs/
HTTP Response Splitting vulnerability in Sun Delegated Administrator
1. *Advisory Information*
Summary:
A) Prelude to the vulnerabities
B) Cross Site Scripting
C) HTTP Response Header Injection
D) HTTP Response Splitting
A) Prelude to the vulnerabities
What follows is the code used to validate the user input:
SecureWorks Security Advisory SWRX-2010-001
Cisco ASA HTTP Response Splitting Vulnerability
Advisory Information
Title: Cisco ASA HTTP Response Splitting Vulnerability
Advisory ID: SWRX-2010-001
Advisory URL: http://www.secureworks.com/ctu/advisories/SWRX-2010-001
Date published: Thursday, June 24, 2010
CVE: CVE-2008-7257
SUPPORT COMMUNICATION - SECURITY BULLETIN
Document ID: c02512995
Version: 2
HPSBMA02568 SSRT100219 rev.2 - HP System Management Homepage (SMH) for Linux and Windows, Remote Cross Site Scripting (XSS), HTTP Response Splitting, and Other Vulnerabilities
NOTICE: The information in this Security Bulletin should be acted upon as soon as possible.
Release Date: 2010-09-15
Last Updated: 2010-09-17
?>
-----------------[ PoC code end ]-----------------------------------
###############################################################################
5. HTTP Response Splitting Vulnerability in "controller.php"
###############################################################################
Reason: using unsanitized user submitted data for HTTP headers generation
Attack vector: user submitted POST parameter "redirect"
Preconditions:
SUPPORT COMMUNICATION - SECURITY BULLETIN
Document ID: c02512995
Version: 1
HPSBMA02568 SSRT100219 rev.1 - HP System Management Homepage (SMH) for Linux and Windows, Remote Cross Site Scripting (XSS), HTTP Response Splitting, and Other Vulnerabilities
NOTICE: The information in this Security Bulletin should be acted upon as soon as possible.
Release Date: 2010-09-15
Last Updated: 2010-09-15
the box".
II. DESCRIPTION
Multiple vulnerabilities exist in Cacti software (XSS, SQL Injection,
Path Disclosure, HTTP Response Splitting).
III. ANALYSIS
Summary:
A) XSS Vulnerabilities
-=[+] Application: Mobile Mp3 Search Engine
-=[+] Version: 2.0
-=[+] Vendor's URL: http://www.php-search-engine.com/_mobile
-=[+] Platform: Windows\Linux\Unix
-=[+] Bug type: HTTP Response Splitting
-=[+] Exploitation: Remote
-=[-]
-=[+] Author: Corrado Liotta Aka CorryL ~ corryl80[at]gmail[dot]com ~
-=[+] Facebook: https://www.facebook.com/CorryL
-=[+] Twitter: https://twitter.com/#!/CorradoLiotta
Advisory # 2:
TITLE
HTTP Response splitting vulnerability in ArubaOS Captive Portal Web
Interface
SUMMARY
A HTTP Response splitting vulnerability was discovered in ArubaOS's
www.eVuln.com advisory:
HTTP Response Splitting in WWWThreads (php version)
Summary: http://evuln.com/vulns/156/summary.html
Details: http://evuln.com/vulns/156/description.html
-----------Summary-----------
eVuln ID: EV0156
Software: n/a
Vendor: WWWThreads
Version: 2006.11.25
www.eVuln.com advisory:
HTTP Response Splitting in Social Share
Summary: http://evuln.com/vulns/168/summary.html
Details: http://evuln.com/vulns/168/description.html
-----------Summary-----------
eVuln ID: EV0168
Software: Social Share
Vendor: n/a
Version: 2010-06-05
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
AppSecInc Team SHATTER Security Advisory
HTTP Response Splitting in Oracle Enterprise Manager (prevPage parameter).
Risk Level:
Medium
Affected versions:
flaw to bypass intended restrictions and possibly execute arbitrary code.
(CVE-2010-1168, CVE-2010-1447)
It was discovered that the CGI.pm Perl module incorrectly handled certain
MIME boundary strings. An attacker could use this flaw to inject arbitrary
HTTP headers and perform HTTP response splitting and cross-site scripting
attacks. This issue only affected Ubuntu 6.06 LTS, 8.04 LTS, 10.04 LTS and
10.10. (CVE-2010-2761, CVE-2010-4411)
It was discovered that the CGI.pm Perl module incorrectly handled newline
characters. An attacker could use this flaw to inject arbitrary HTTP
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
AppSecInc Team SHATTER Security Advisory
HTTP Response Splitting in Oracle Enterprise Manager (pageName parameter).
Risk Level:
Medium
Affected versions:
CVE-2011-3186
A newline (CRLF) injection vulnerability had been found in
response.rb. This vulnerability allows an attacker to inject arbitrary
HTTP headers and conduct HTTP response splitting attacks via the
Content-Type header.
For the oldstable distribution (lenny), this problem has been fixed in
version 2.1.0-7+lenny1.
Multiple vulnerabilities has been found and corrected in cups:
CUPS in does not properly handle (1) HTTP headers and (2) HTML
templates, which allows remote attackers to conduct cross-site
scripting (XSS) attacks and HTTP response splitting attacks via vectors
related to (a) the product's web interface, (b) the configuration of
the print system, and (c) the titles of printed jobs (CVE-2009-2820).
The _cupsGetlang function, as used by lppasswd.c in lppasswd in CUPS
1.2.2, 1.3.7, 1.3.9, and 1.4.1, relies on an environment variable
possible.
Vulnerability Details
=====================
Class: HTTP Response Splitting
Versions: Every Version Before 3.2.9, 3.4.9, 3.6.3, 4.0rc1
Fixed In: 3.2.9, 3.4.9, 3.6.3, 4.0rc1
Description: By inserting a certain string into a URL, it was possible
to inject both headers and content to any browser that
supported "Server Push" (mostly only Gecko-based browsers
A vulnerability was discovered and corrected in perl-CGI-Simple:
CRLF injection vulnerability in the header function in (1) CGI.pm
before 3.50 and (2) Simple.pm in CGI::Simple 1.112 and earlier allows
remote attackers to inject arbitrary HTTP headers and conduct HTTP
response splitting attacks via vectors related to non-whitespace
characters preceded by newline characters, a different vulnerability
than CVE-2010-2761 and CVE-2010-3172 (CVE-2010-4410).
The updated packages have been patched to correct this issue.
_______________________________________________________________________
admin.php?INFO[base_url]=http://phishing-hax.com/
This can also lead to a Full Path Disclosure vulnerability.
The "header()" function doesn't accept CRLF characters, this
protect against HTTP Response Splitting attacks. The level of
"error_reporting" is set in the file "init.php":
210| error_reporting (E_ERROR | E_WARNING | E_PARSE);
So what we have to do to disclose the full path of IPB, is
disclosure or spoofing.
CVE-2007-2292
Stefano Di Paola discovered that insufficient validation of user names
used in Digest authentication on a web site allows HTTP response splitting
attacks.
CVE-2007-3511
It was discovered that insecure focus handling of the file upload
Mozilla Firefox before 3.6.23 and 4.x through 6, Thunderbird before
7.0, and SeaMonkey before 2.4 do not properly handle HTTP responses
that contain multiple Location, Content-Length, or Content-Disposition
headers, which makes it easier for remote attackers to conduct HTTP
response splitting attacks via crafted header values (CVE-2011-3000).
Mozilla Firefox 4.x through 6, Thunderbird before 7.0, and SeaMonkey
before 2.4 do not prevent manual add-on installation in response
to the holding of the Enter key, which allows user-assisted remote
attackers to bypass intended access restrictions via a crafted web
Mozilla Firefox before 3.6.23 and 4.x through 6, Thunderbird before
7.0, and SeaMonkey before 2.4 do not properly handle HTTP responses
that contain multiple Location, Content-Length, or Content-Disposition
headers, which makes it easier for remote attackers to conduct HTTP
response splitting attacks via crafted header values (CVE-2011-3000).
Mozilla Firefox 4.x through 6, Thunderbird before 7.0, and SeaMonkey
before 2.4 do not prevent manual add-on installation in response
to the holding of the Enter key, which allows user-assisted remote
attackers to bypass intended access restrictions via a crafted web
Impact
======
A remote attacker could entice a user to visit a malicious URL or send
specially crafted HTTP requests (i.e using Adobe Flash) to perform
Cross-Site Scripting and HTTP response splitting attacks, or conduct a
Denial of Service attack on the vulnerable web server.
Workaround
==========
interface:
* XSS vulnerabilities
* Path disclosure vulnerabilities
* SQL injection vulnerabilities
* HTTP response splitting vulnerabilities
References:
http://forums.cacti.net/about25749.html
--
A vulnerability has been found and corrected in perl-CGI:
Unspecified vulnerability in CGI.pm 3.50 and earlier allows remote
attackers to inject arbitrary HTTP headers and conduct HTTP response
splitting attacks via unknown vectors. NOTE: this issue exists
because of an incomplete fix for CVE-2010-2761 (CVE-2010-4411).
Packages for 2009.0 are provided as of the Extended Maintenance
Program. Please visit this link to learn more:
http://store.mandriva.com/product_info.php?cPath=149&products_id=490
Multiple vulnerabilities has been found and corrected in cups:
CUPS in does not properly handle (1) HTTP headers and (2) HTML
templates, which allows remote attackers to conduct cross-site
scripting (XSS) attacks and HTTP response splitting attacks via vectors
related to (a) the product's web interface, (b) the configuration of
the print system, and (c) the titles of printed jobs (CVE-2009-2820).
Use-after-free vulnerability in the abstract file-descriptor handling
interface in the cupsdDoSelect function in scheduler/select.c in the
The multipart_init function in (1) CGI.pm before 3.50 and (2) Simple.pm
in CGI::Simple 1.112 and earlier uses a hardcoded value of the MIME
boundary string in multipart/x-mixed-replace content, which allows
remote attackers to inject arbitrary HTTP headers and conduct HTTP
response splitting attacks via crafted input that contains this value,
a different vulnerability than CVE-2010-3172 (CVE-2010-2761).
The updated packages have been patched to correct this issue.
_______________________________________________________________________
(4) HtmlInputRadioButton (RenderAttributes), and (5) HtmlSelect
(RenderChildren) (CVE-2008-3422).
CRLF injection vulnerability in Sys.Web in Mono 2.0 and earlier allows
remote attackers to inject arbitrary HTTP headers and conduct HTTP
response splitting attacks via CRLF sequences in the query string
(CVE-2008-3906).
The XML HMAC signature system did not correctly check certain
lengths. If an attacker sent a truncated HMAC, it could bypass
authentication, leading to potential privilege escalation
Next Page>>
|
