Re: Http Response Splitting Vulnerability In PHP-NUKE 7.6 and below

To: JeiAr <security@xxxxxxxxxxxx>
Subject: Re: Http Response Splitting Vulnerability In PHP-NUKE 7.6 and below
From: Paul Laudanski <zx@xxxxxxxxxxxxxx>
Date: Fri, 15 Apr 2005 19:58:01 -0400 (EDT)
Cc: bugtraq@xxxxxxxxxxxxxxxxx, <bugs@xxxxxxxxxxxxxxxxxxx>, <full-disclosure@xxxxxxxxxxxxxxxxx>, <moderators@xxxxxxxxx>, <news@xxxxxxxxxxxxxx>, <vulndiscuss@xxxxxxxxxxxxx>, <vuln@xxxxxxxxxxx>
In-reply-to: <20050415211819.17932.qmail@xxxxxxxxxxxxxxxxxxxxx>
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm

Technically http response splitting occurs when a web application fails to 
reject illegal input such as the CR and LF characters.  PHP-Nuke's 
mainfile.php has had the following function in it:

function removecrlf($str) {
    return strtr($str, "\015\012", ' ');
}

So the power is there to stop it, but it isn't being used.

It should be called more frequently on user input validation.  However, a 
one stop shop would be to install mod_security with the appropriate 
filters.  It won't just protect a webapp like php-nuke or postnuke, it'll 
protect all the pages accessible via Apache.

However, $forwarder should only accept URLs, and nothing more in this 
example.  As such, there ought to be a whitelist of characters that are 
approved for input specific to URLs.

But when it comes to CRLFs, I can't see anything at the moment why they 
ought to be whitelisted.

On 15 Apr 2005, JeiAr wrote:

> In-Reply-To: <20050416033018.9721.qmail@xxxxxxxxxxxxxxxxxxxxx>
> 
> "Possible Fixes: The usage of htmlspeacialchars(), mysql_escape_string(), 
> mysql_real_escape_string()
> and other functions for input validation before passing user input
> to the mysql database, or before echoing data on the screen, would solve these
> problems."
> 
> The htmlspecialchars() would most definately keep the html code from being 
> rendered, but would it really fix http response splitting?
> 
> Maybe something like this would work better?
> 
> $location = str_replace('\n', '', urldecode($location));
> $location = str_replace('\r', '', urldecode($location));
> $location = str_replace('&amp;', '&', htmlspecialchars($location));
> 
> James
> 
> 
> >Dcrab 's Security Advisory
> >[Hsc Security Group] http://www.hackerscenter.com/
> >[dP Security] http://digitalparadox.org/
> >
> >Get Dcrab's Services to audit your Web servers, scripts, networks, etc. 
> >Learn more at http://www.digitalparadox.org/services.ah
> >
> >Severity: High
> >Title: Http Response Splitting Vulnerability In PHP-NUKE 7.6 and below
> >Date: 15/04/2005
> >
> >Vendor: Php-Nuke
> >Vendor Website: http://www.phpnuke.org
> >Summary: There are, http response splitting vulnerability in php-nuke 7.6 
> >and below.

-- 
Sincerely,

Paul Laudanski .. Computer Cops, LLC.
Microsoft MVP Windows-Security 2005
CastleCops(SM)... http://castlecops.com
CC Blog ......... http://blog.castlecops.com
Staff Blogs ..... http://busterbunny.castlecops.com
Our Vision ...... http://castlecops.com/postt63382.html

http://cuddlesnkisses.com http://justalittlepoke.com http://zhen-xjell.com

________ Information from Computer Cops, L.L.C. ________
This message was checked by NOD32 Antivirus System for Linux Mail Server.

  part000.txt - is OK
http://castlecops.com

References:
- Re: Http Response Splitting Vulnerability In PHP-NUKE 7.6 and below
  - From: JeiAr

Prev by Date: [DR001] AppleWebKit XMLHttpRequest arbitrary file disclosure vulnerability
Next by Date: phpBB datenbank mod has XSS/SQL Injection in the id variable
Previous by thread: Re: Http Response Splitting Vulnerability In PHP-NUKE 7.6 and below
Next by thread: [DR001] AppleWebKit XMLHttpRequest arbitrary file disclosure vulnerability
Index(es):
- Date
- Thread