Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Http Response Splitting Vulnerability In PHP-NUKE 7.6 and below

From: Paul Laudanski <zx () castlecops com>
Date: Fri, 15 Apr 2005 19:58:01 -0400 (EDT)
Technically http response splitting occurs when a web application fails to 
reject illegal input such as the CR and LF characters.  PHP-Nuke's 
mainfile.php has had the following function in it:

function removecrlf($str) {
    return strtr($str, "\015\012", ' ');
}

So the power is there to stop it, but it isn't being used.

It should be called more frequently on user input validation.  However, a 
one stop shop would be to install mod_security with the appropriate 
filters.  It won't just protect a webapp like php-nuke or postnuke, it'll 
protect all the pages accessible via Apache.

However, $forwarder should only accept URLs, and nothing more in this 
example.  As such, there ought to be a whitelist of characters that are 
approved for input specific to URLs.

But when it comes to CRLFs, I can't see anything at the moment why they 
ought to be whitelisted.

On 15 Apr 2005, JeiAr wrote:


In-Reply-To: <20050416033018.9721.qmail () www securityfocus com>

"Possible Fixes: The usage of htmlspeacialchars(), mysql_escape_string(), mysql_real_escape_string()
and other functions for input validation before passing user input
to the mysql database, or before echoing data on the screen, would solve these
problems."

The htmlspecialchars() would most definately keep the html code from being rendered, but would it really fix http 
response splitting?

Maybe something like this would work better?

$location = str_replace('\n', '', urldecode($location));
$location = str_replace('\r', '', urldecode($location));
$location = str_replace('&amp;', '&', htmlspecialchars($location));

James



Dcrab 's Security Advisory
[Hsc Security Group] http://www.hackerscenter.com/
[dP Security] http://digitalparadox.org/

Get Dcrab's Services to audit your Web servers, scripts, networks, etc. Learn more at 
http://www.digitalparadox.org/services.ah

Severity: High
Title: Http Response Splitting Vulnerability In PHP-NUKE 7.6 and below
Date: 15/04/2005

Vendor: Php-Nuke
Vendor Website: http://www.phpnuke.org
Summary: There are, http response splitting vulnerability in php-nuke 7.6 and below.


-- 
Sincerely,

Paul Laudanski .. Computer Cops, LLC.
Microsoft MVP Windows-Security 2005
CastleCops(SM)... http://castlecops.com
CC Blog ......... http://blog.castlecops.com
Staff Blogs ..... http://busterbunny.castlecops.com
Our Vision ...... http://castlecops.com/postt63382.html

http://cuddlesnkisses.com http://justalittlepoke.com http://zhen-xjell.com


________ Information from Computer Cops, L.L.C. ________
This message was checked by NOD32 Antivirus System for Linux Mail Server.

  part000.txt - is OK
http://castlecops.com
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Previous By Date Next
Previous By Thread Next

Current thread: