[ISecAuditors Security Advisories] HTTP Response Splitting Vulnerability in WebCollab <= v3.30


============================================= INTERNET SECURITY AUDITORS ALERT 2013-011 - Original release date: March 21st, 2013 - Last revised: March 21st, 2013 - Discovered by: Manuel Garcia Cardenas - Severity: 5/10 (CVSS Base Score) - CVE-ID: CVE-2013-2652 ============================================= I. VULNERABILITY ------------------------- HTTP Response Splitting Vulnerability in WebCollab <= v3.30 II. BACKGROUND ------------------------- WebCollab is a collaborative Web site for project workgroups. It aims to be easy and intuitive to use without being complicated or graphically intensive. It uses a MySQL/PostgreSQL database backend coupled with PHP scripting and the Apache webserver. The last version of WebCollab is 3.30 (Aotuhia) released on February 2013. III. DESCRIPTION ------------------------- An input validation problem exists within WebCollab which allows injecting CR (carriage return - %0D or \r) and LF (line feed - %0A or \n) characters into the server HTTP response header, resulting in a HTTP Response Splitting Vulnerability. The vulnerability exists in the "item" parameter on the page "/help/help_language.php". This vulnerability not only gives attackers control of the remaining headers and body of the server response, but also allows them to create additional responses entirely under their control. IV. PROOF OF CONCEPT ------------------------- Malicious Request: http://vulnerablesite.com/webcollab/help/help_language.php?item=%0d%0a%20FakeHeader%3a %20WriteYourOwnHeader&lang=en&type=help Server Response: HTTP/1.1 302 Found Server: Apache/2.4.3 (Win32) OpenSSL/1.0.1c PHP/5.4.7 Location: http://vulnerablesite.com/webcollab/help/en_help.php# FakeHeader: WriteYourOwnHeader Content-Length: 0 Content-Type: text/html V. BUSINESS IMPACT ------------------------- Attacker-supplied HTML or JavaScript code could run in the context of the affected site, potentially allowing an attacker to steal cookie-based authentication credentials, control how the site is rendered to the user, and influence or misrepresent how web content is served, cached, or interpreted. Other attacks are also possible. VI. SYSTEMS AFFECTED ------------------------- WebCollab <= v3.30 VII. SOLUTION ------------------------- All data received by the application and can be modified by the user, before making any kind of transaction with them must be validated. Validate the parameter "item" on the page "/help/help_language.php" line 34: $help_item = $_GET['item']; switch($_GET['type'] ) { case 'admin': header('Location: '.BASE_URL.'help/'.$lang_prefix.'_help_admin.php#'.$help_item ); break; case 'help': default: header('Location: '.BASE_URL.'help/'.$lang_prefix.'_help.php#'.$help_item ); break; VIII. REFERENCES ------------------------- http://webcollab.sourceforge.net http://www.isecauditors.com IX. CREDITS ------------------------- This vulnerability has been discovered and reported by Manuel Garcia Cardenas (mgarcia (at) isecauditors (dot) com). X. REVISION HISTORY ------------------------ March 21, 2013: Initial release XI. DISCLOSURE TIMELINE ------------------------- March 21, 2013: Vulnerability acquired by Internet Security Auditors (www.isecauditors.com) March 22, 2013: CVE-ID requested and received. October 17, 2013: First contact with the developer. We send pre-advisory October 18, 2013: Developer team release a new version October 24, 2013: Advisory Release XII. LEGAL NOTICES ------------------------- The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Internet Security Auditors accepts no responsibility for any damage caused by the use or misuse of this information. XIII. ABOUT ------------------------- Internet Security Auditors is a Spain based leader in web application testing, network security, penetration testing, security compliance implementation and assessing. Our clients include some of the largest companies in areas such as finance, telecommunications, insurance, ITC, etc. We are vendor independent provider with a deep expertise since 2001. Our efforts in R&D include vulnerability research, open security project collaboration and whitepapers, presentations and security events participation and promotion. For further information regarding our security services, contact us.