This one will replace malicious tags by their entities.
The most efficient replacement, is the one which protect
against SQL Injections, (single/double quotes).
Replacements concerning strings wich contains more than
1 characters can be bypassed with the CR (Carriage Return)
character (eg: bypassing the replacement of ../ by using
..%0D/).
We can also use that trick to encode links. For example the
parameter "act=Members", is the same as "%2561%2563%2574=
*Google Chrome Carriage Return Null Object Memory Exhaustion Remote Dos.*
*Version Affected:*
Chrome/0.2.149.30
Chrome/0.2.149.29
*Severity:*
High
0x0009 (Tab)
0x000a (Line feed)
0x000b (Vertical tab)
0x000c (Form feed)
0x000d (Carriage return)
0x003a (':')
0x005c ('\')
the bluetooth stack would crash and cause the phone to freeze. It should be noted that in order to exploit this, the attacker will have to pair with victim phone in the first place. This vulnerability can be illustrated by the following python code (require the PyBluez package, tested under Python 2.5.2, PyBluez 0.15 with Microsoft bluetooth stack from Windows XP SP2):
4105 | }
4106 |
4107 | $val = str_replace( " ", " ",
IPSText::stripslashes($val) );
4108 |
4109 | # Convert all carriage return combos
4110 | $val = str_replace( array( "\r\n", "\n\r", "\r" ), "\n",
$val );
4111 |
4112 | $val = str_replace( "&", "&", $val );
4113 | $val = str_replace( "<!--", "<!--", $val );
3. *Vulnerability Description*
An HTTP Response Splitting vulnerability [1][2] has been discovered in
Sun Java System Delegated Administrator. HTTP Response Splitting occurs
when an attacker has the possibility of injecting a carriage return
(0x0D) or a line feed (0x0A) character sequence into the HTTP headers of
the web server's response. This allows proxy cache-poisoning attacks
that affect the proxy users base when requesting a web page that belongs
to the affected domain, redirection attacks or other kind of Cross-Site
Scripting attacks.
OpenNMS 1.5.93-1
Other versions may also be affected.
Vulnerability Details
An input validation problem exists within OpenNMS which allows injecting
CR (carriage return - %0D or \r) and LF
(line feed - %0A or \n) characters into the server HTTP response header,
resulting in a HTTP Response Splitting[1]
vulnerability.
This vulnerability is possible because the application fails to validate
user supplied input, returning it
The DPC Proxy is affected by a buffer-overflow vulnerability located in
the function which gets the data received from the client, stores them
in a stack buffer of about 1024 bytes and checks the presence of an end
of line delimiter (carriage return).
#######################################################################
===========
Thanks in advance,
On 9/24/08, Aditya K Sood <0kn0ck@secniche.org> wrote:
>
> *Google Chrome Carriage Return Null Object Memory Exhaustion Remote Dos.*
>
> *Version Affected:*
> Chrome/0.2.149.30
> Chrome/0.2.149.29
>
F] NULL pointer in log_user_agent
---------------------------------
The log_user_agent function uses an unchecked strstr for finding the
end of the User-Agent value (a line field), but the server can handle
also carriage-return chars allowing an attacker to crash it using only
0x0d chars in his request.
From rtsp/RTSP_utils.c:
void log_user_agent(RTSP_buffer * rtsp)
