Social Share 2010-06-05 HTTP Response Splitting

2010-12-22T00:00:00
ID PACKETSTORM:96941
Type packetstorm
Reporter Aliaksandr Hartsuyeu
Modified 2010-12-22T00:00:00

Description

                                        
                                            `www.eVuln.com advisory:  
HTTP Response Splitting in Social Share  
Summary: http://evuln.com/vulns/168/summary.html   
Details: http://evuln.com/vulns/168/description.html   
  
-----------Summary-----------  
eVuln ID: EV0168  
Software: Social Share  
Vendor: n/a  
Version: 2010-06-05  
Critical Level: low  
Type: HTTP Response Splitting  
Status: Unpatched. No reply from developer(s)  
PoC: Available  
Solution: Not available  
Discovered by: Aliaksandr Hartsuyeu ( http://evuln.com/ )  
  
--------Description--------  
$_SERVER["HTTP_REFERER"] value is included in an HTTP response header sent to a web user without being validated for malicious characters.  
Vulnerable script: vote.php  
  
--------PoC/Exploit--------  
HTTP Response Splitting Example.  
  
Vulnerable code: $referrer = $_SERVER[HTTP_REFERER]; header("Location: $referrer");  
  
HTTP query ("Referer" field):  
  
Referer: http://some-link/\r\n[second new response]  
  
---------Solution----------  
Not available  
  
----------Credit-----------  
Vulnerability discovered by Aliaksandr Hartsuyeu  
http://evuln.com/penetration-test.html - website penetration testing service  
`