ID CVE-2015-5285 Type cve Reporter NVD Modified 2015-10-30T16:00:12
Description
CRLF injection vulnerability in Kallithea before 0.3 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via the came_from parameter to _admin/login.
{"result": {"exploitdb": [{"id": "EDB-ID:38424", "type": "exploitdb", "title": "Kallithea 0.2.9 came_from HTTP Response Splitting Vulnerability", "description": "Kallithea 0.2.9 (came_from) HTTP Response Splitting Vulnerability. Webapps exploits for multiple platform", "published": "2015-10-08T00:00:00", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}, "href": "https://www.exploit-db.com/exploits/38424/", "cvelist": ["CVE-2015-5285"], "lastseen": "2016-02-04T08:03:48"}], "packetstorm": [{"id": "PACKETSTORM:133897", "type": "packetstorm", "title": "Kallithea 0.2.9 HTTP Response Splitting", "description": "", "published": "2015-10-08T00:00:00", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}, "href": "https://packetstormsecurity.com/files/133897/Kallithea-0.2.9-HTTP-Response-Splitting.html", "cvelist": ["CVE-2015-5285"], "lastseen": "2016-12-05T22:21:20"}], "openvas": [{"id": "OPENVAS:1361412562310806613", "type": "openvas", "title": "Kallithea 'came_from' parameter HTTP Response Splitting Vulnerability", "description": "The host is installed with Kallithea and\n is prone to http response splitting vulnerability.", "published": "2015-11-06T00:00:00", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}, "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310806613", "cvelist": ["CVE-2015-5285"], "lastseen": "2017-07-02T21:12:08"}], "zdt": [{"id": "1337DAY-ID-24384", "type": "zdt", "title": "Kallithea 0.2.9 HTTP Response Splitting Vulnerability", "description": "Kallithea suffers from a HTTP header injection (response splitting) vulnerability because it fails to properly sanitize user input before using it as an HTTP header value via the GET 'came_from' parameter in the login instance. This type of attack not only allows a malicious user to control the remaining headers and body of the response the application intends to send, but also allow them to create additional responses entirely under their control. Versions 0.2.9 and 0.2.2 are affected.", "published": "2015-10-08T00:00:00", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}, "href": "https://0day.today/exploit/description/24384", "cvelist": ["CVE-2015-5285"], "lastseen": "2018-02-06T07:12:04"}], "zeroscience": [{"id": "ZSL-2015-5267", "type": "zeroscience", "title": "Kallithea 0.2.9 (came_from) HTTP Response Splitting Vulnerability", "description": "Title: Kallithea 0.2.9 (came_from) HTTP Response Splitting Vulnerability \nAdvisory ID: [ZSL-2015-5267](<ZSL-2015-5267.php>) \nType: Local/Remote \nImpact: Cross-Site Scripting \nRisk: (3/5) \nRelease Date: 07.10.2015 \n\n\n##### Summary\n\nKallithea, a member project of Software Freedom Conservancy, is a GPLv3'd, Free Software source code management system that supports two leading version control systems, Mercurial and Git, and has a web interface that is easy to use for users and admins. \n\n##### Description\n\nKallithea suffers from a HTTP header injection (response splitting) vulnerability because it fails to properly sanitize user input before using it as an HTTP header value via the GET 'came_from' parameter in the login instance. This type of attack not only allows a malicious user to control the remaining headers and body of the response the application intends to send, but also allow them to create additional responses entirely under their control. \n\n##### Vendor\n\nKallithea - <https://www.kallithea-scm.org>\n\n##### Affected Version\n\n0.2.9 and 0.2.2 \n\n##### Tested On\n\nKali \nPython \n\n##### Vendor Status\n\n[21.09.2015] Vulnerability discovered. \n[22.09.2015] Vendor contacted. \n[22.09.2015] Vendor responds asking more details. \n[23.09.2015] Sent details to the vendor. \n[23.09.2015] Vendor confirms the issue planing to fix in version 0.3. \n[24.09.2015] Working with the vendor. \n[24.09.2015] CVE-2015-5285 assigned. \n[02.10.2015] Vendor releases version 0.3 to address this issue. \n[07.10.2015] Coordinated public security advisory released. \n\n##### PoC\n\n[kallithea_http.txt](<../../codes/kallithea_http.txt>)\n\n##### Credits\n\nVulnerability discovered by Gjoko Krstic - <[gjoko@zeroscience.mk](<mailto:gjoko@zeroscience.mk>)> \nHigh five to Mads and Andrew! \n\n##### References\n\n[1] <https://kallithea-scm.org/news/release-0.3.html> \n[2] <https://kallithea-scm.org/security/cve-2015-5285.html> \n[3] <https://kallithea-scm.org/repos/kallithea/changeset/38d1c99cd0005c1df5a37692615356c918dbe068> \n[4] <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5285> \n[5] <https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-5285> \n[6] <https://exchange.xforce.ibmcloud.com/vulnerabilities/106915> \n[7] <https://cxsecurity.com/issue/WLB-2015100066> \n[8] <https://packetstormsecurity.com/files/133897/Kallithea-0.2.9-HTTP-Response-Splitting.html> \n[9] <https://www.exploit-db.com/exploits/38424/>\n\n##### Changelog\n\n[07.10.2015] - Initial release \n[11.10.2015] - Added reference [6], [7] and [8] \n[12.10.2015] - Added reference [9] \n\n##### Contact\n\nZero Science Lab \n \nWeb: <http://www.zeroscience.mk> \ne-mail: [lab@zeroscience.mk](<mailto:lab@zeroscience.mk>)\n", "published": "2015-10-07T00:00:00", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}, "href": "http://zeroscience.mk/en/vulnerabilities/ZSL-2015-5267.php", "cvelist": ["CVE-2015-5285"], "lastseen": "2017-02-21T11:49:13"}]}}
