Full Disclosure mailing list archives
Re: Http Response Splitting Vulnerability In PHP-NUKE 7.6 and below
From: Paul Laudanski <zx () castlecops com>
Date: Fri, 15 Apr 2005 19:58:01 -0400 (EDT)
Technically http response splitting occurs when a web application fails to reject illegal input such as the CR and LF characters. PHP-Nuke's mainfile.php has had the following function in it: function removecrlf($str) { return strtr($str, "\015\012", ' '); } So the power is there to stop it, but it isn't being used. It should be called more frequently on user input validation. However, a one stop shop would be to install mod_security with the appropriate filters. It won't just protect a webapp like php-nuke or postnuke, it'll protect all the pages accessible via Apache. However, $forwarder should only accept URLs, and nothing more in this example. As such, there ought to be a whitelist of characters that are approved for input specific to URLs. But when it comes to CRLFs, I can't see anything at the moment why they ought to be whitelisted. On 15 Apr 2005, JeiAr wrote:
In-Reply-To: <20050416033018.9721.qmail () www securityfocus com> "Possible Fixes: The usage of htmlspeacialchars(), mysql_escape_string(), mysql_real_escape_string() and other functions for input validation before passing user input to the mysql database, or before echoing data on the screen, would solve these problems." The htmlspecialchars() would most definately keep the html code from being rendered, but would it really fix http response splitting? Maybe something like this would work better? $location = str_replace('\n', '', urldecode($location)); $location = str_replace('\r', '', urldecode($location)); $location = str_replace('&', '&', htmlspecialchars($location)); JamesDcrab 's Security Advisory [Hsc Security Group] http://www.hackerscenter.com/ [dP Security] http://digitalparadox.org/ Get Dcrab's Services to audit your Web servers, scripts, networks, etc. Learn more at http://www.digitalparadox.org/services.ah Severity: High Title: Http Response Splitting Vulnerability In PHP-NUKE 7.6 and below Date: 15/04/2005 Vendor: Php-Nuke Vendor Website: http://www.phpnuke.org Summary: There are, http response splitting vulnerability in php-nuke 7.6 and below.
-- Sincerely, Paul Laudanski .. Computer Cops, LLC. Microsoft MVP Windows-Security 2005 CastleCops(SM)... http://castlecops.com CC Blog ......... http://blog.castlecops.com Staff Blogs ..... http://busterbunny.castlecops.com Our Vision ...... http://castlecops.com/postt63382.html http://cuddlesnkisses.com http://justalittlepoke.com http://zhen-xjell.com ________ Information from Computer Cops, L.L.C. ________ This message was checked by NOD32 Antivirus System for Linux Mail Server. part000.txt - is OK http://castlecops.com _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Re: Http Response Splitting Vulnerability In PHP-NUKE 7.6 and below Paul Laudanski (Apr 15)