Full Disclosure mailing list archives
Google's Blogger.com classic HTTP response splitting vulnerability
From: Meder Kydyraliev <meder () o0o nu>
Date: Wed, 18 Jan 2006 18:50:48 +0800
Blogger.com classic HTTP response splitting vulnerability ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 0. Original Advisory ~~~~~~~~~~~~~~~~~~~ http://o0o.nu/~meder/o0o_Blogger_HTTP_response_splitting.txt I. Background ~~~~~~~~~~~~~ Blogger.com is Google's blogging service. II. Description ~~~~~~~~~~~~~~~ Blogger's personal page redirection mechanism contains a classic HTTP response splitting vulnerability in the "Location" HTTP header. The problem occurs due to use of unsanitized user-supplied data in the "Location" HTTP header, which enables attacker to inject CRLF(%0d%0a) characters thus splitting server's response taking full control over the contents of second HTTP response. Exploitation of the vulnerability can lead to cross-site scripting (XSS), cache poisioning and phishing attacks. The following URL was taking contents of query string and using it in "Location" HTTP header without proper sanitation: http://www.blogger.com/r?[URL here] III. Vendor status ~~~~~~~~~~~~~~~~~~ Vulnerability has been fixed on 13/01/2006 IV. Disclosure timeline ~~~~~~~~~~~~~~~~~~~~~~~ 02/01/2006 - Issue discovered. Vendor notified. 02/01/2006 - Initial vendor response. 12/01/2006 - Vendor inquired on status. 13/01/2006 - Vendor response and confirmation that bug fixed. V. References ~~~~~~~~~~~~~ 1. http://www.packetstormsecurity.org/papers/general/whitepaper_httpresponse.pdf -- http://o0o.nu/~meder _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Google's Blogger.com classic HTTP response splitting vulnerability Meder Kydyraliev (Jan 18)