Lucene search

K
packetstormManuel Garcia CardenasPACKETSTORM:123771
HistoryOct 25, 2013 - 12:00 a.m.

WebCollab 3.30 HTTP Response Splitting

2013-10-2500:00:00
Manuel Garcia Cardenas
packetstormsecurity.com
27

0.005 Low

EPSS

Percentile

72.6%

`=============================================  
INTERNET SECURITY AUDITORS ALERT 2013-011  
- Original release date: March 21st, 2013  
- Last revised: March 21st, 2013  
- Discovered by: Manuel García Cárdenas  
- Severity: 5/10 (CVSS Base Score)  
- CVE-ID: CVE-2013-2652  
=============================================  
  
I. VULNERABILITY  
-------------------------  
HTTP Response Splitting Vulnerability in WebCollab <= v3.30  
  
II. BACKGROUND  
-------------------------  
WebCollab is a collaborative Web site for project workgroups. It aims to  
be easy and intuitive to  
  
use without being complicated or graphically intensive.  
  
It uses a MySQL/PostgreSQL database backend coupled with PHP scripting  
and the Apache webserver.  
  
The last version of WebCollab is 3.30 (Aotuhia) released on February 2013.  
  
III. DESCRIPTION  
-------------------------  
An input validation problem exists within WebCollab which allows  
injecting CR (carriage return -  
  
%0D or \r) and LF (line feed - %0A or \n) characters into the server  
HTTP response header,  
  
resulting in a HTTP Response Splitting Vulnerability.  
  
The vulnerability exists in the "item" parameter on the page  
"/help/help_language.php".  
  
This vulnerability not only gives attackers control of the remaining  
headers and body of the  
  
server response, but also allows them to create additional responses  
entirely under their  
  
control.  
  
IV. PROOF OF CONCEPT  
-------------------------  
Malicious Request:  
  
http://vulnerablesite.com/webcollab/help/help_language.php?item=%0d%0a%20FakeHeader%3a  
  
%20WriteYourOwnHeader&lang=en&type=help  
  
Server Response:  
  
HTTP/1.1 302 Found  
Server: Apache/2.4.3 (Win32) OpenSSL/1.0.1c PHP/5.4.7  
Location: http://vulnerablesite.com/webcollab/help/en_help.php#  
FakeHeader: WriteYourOwnHeader  
Content-Length: 0  
Content-Type: text/html  
  
V. BUSINESS IMPACT  
-------------------------  
Attacker-supplied HTML or JavaScript code could run in the context of  
the affected site,  
  
potentially allowing an attacker to steal cookie-based authentication  
credentials, control how  
  
the site is rendered to the user, and influence or misrepresent how web  
content is served,  
  
cached, or interpreted. Other attacks are also possible.  
  
VI. SYSTEMS AFFECTED  
-------------------------  
WebCollab <= v3.30  
  
VII. SOLUTION  
-------------------------  
All data received by the application and can be modified by the user,  
before making any kind of  
transaction with them must be validated.  
  
Validate the parameter "item" on the page "/help/help_language.php" line 34:  
  
$help_item = $_GET['item'];  
  
switch($_GET['type'] ) {  
case 'admin':  
header('Location:  
'.BASE_URL.'help/'.$lang_prefix.'_help_admin.php#'.$help_item );  
break;  
  
case 'help':  
default:  
header('Location:  
'.BASE_URL.'help/'.$lang_prefix.'_help.php#'.$help_item );  
break;  
  
VIII. REFERENCES  
-------------------------  
http://webcollab.sourceforge.net  
http://www.isecauditors.com  
  
IX. CREDITS  
-------------------------  
This vulnerability has been discovered and reported  
by Manuel García Cárdenas (mgarcia (at) isecauditors (dot) com).  
  
X. REVISION HISTORY  
------------------------  
March 21, 2013: Initial release  
  
XI. DISCLOSURE TIMELINE  
-------------------------  
March 21, 2013: Vulnerability acquired by  
Internet Security Auditors (www.isecauditors.com)  
March 22, 2013: CVE-ID requested and received.  
October 17, 2013: First contact with the developer. We send pre-advisory  
October 18, 2013: Developer team release a new version  
October 24, 2013: Advisory Release  
  
XII. LEGAL NOTICES  
-------------------------  
The information contained within this advisory is supplied "as-is" with  
no warranties or  
  
guarantees of fitness of use or otherwise.  
Internet Security Auditors accepts no responsibility for any damage  
caused by the use or misuse  
  
of this information.  
  
XIII. ABOUT  
-------------------------  
Internet Security Auditors is a Spain based leader in web application  
testing, network security,  
  
penetration testing, security compliance  
implementation and assessing. Our clients include some of the largest  
companies in areas such as  
  
finance, telecommunications, insurance, ITC, etc.  
We are vendor independent provider with a deep expertise since 2001. Our  
efforts in R&D include  
  
vulnerability research, open security project  
collaboration and whitepapers, presentations and security events  
participation and promotion. For  
  
further information regarding our security  
services, contact us.  
`

0.005 Low

EPSS

Percentile

72.6%

Related for PACKETSTORM:123771