[ISecAuditors Security Advisories] HTTP Response Splitting Vulnerability in WebCollab <= v3.30

2013-10-27T00:00:00
ID SECURITYVULNS:DOC:29948
Type securityvulns
Reporter Securityvulns
Modified 2013-10-27T00:00:00

Description

============================================= INTERNET SECURITY AUDITORS ALERT 2013-011 - Original release date: March 21st, 2013 - Last revised: March 21st, 2013 - Discovered by: Manuel Garcia Cardenas - Severity: 5/10 (CVSS Base Score) - CVE-ID: CVE-2013-2652 =============================================

I. VULNERABILITY

HTTP Response Splitting Vulnerability in WebCollab <= v3.30

II. BACKGROUND

WebCollab is a collaborative Web site for project workgroups. It aims to be easy and intuitive to

use without being complicated or graphically intensive.

It uses a MySQL/PostgreSQL database backend coupled with PHP scripting and the Apache webserver.

The last version of WebCollab is 3.30 (Aotuhia) released on February 2013.

III. DESCRIPTION

An input validation problem exists within WebCollab which allows injecting CR (carriage return -

%0D or \r) and LF (line feed - %0A or \n) characters into the server HTTP response header,

resulting in a HTTP Response Splitting Vulnerability.

The vulnerability exists in the "item" parameter on the page "/help/help_language.php".

This vulnerability not only gives attackers control of the remaining headers and body of the

server response, but also allows them to create additional responses entirely under their

control.

IV. PROOF OF CONCEPT

Malicious Request:

http://vulnerablesite.com/webcollab/help/help_language.php?item=%0d%0a%20FakeHeader%3a

%20WriteYourOwnHeader&lang=en&type=help

Server Response:

HTTP/1.1 302 Found Server: Apache/2.4.3 (Win32) OpenSSL/1.0.1c PHP/5.4.7 Location: http://vulnerablesite.com/webcollab/help/en_help.php# FakeHeader: WriteYourOwnHeader Content-Length: 0 Content-Type: text/html

V. BUSINESS IMPACT

Attacker-supplied HTML or JavaScript code could run in the context of the affected site,

potentially allowing an attacker to steal cookie-based authentication credentials, control how

the site is rendered to the user, and influence or misrepresent how web content is served,

cached, or interpreted. Other attacks are also possible.

VI. SYSTEMS AFFECTED

WebCollab <= v3.30

VII. SOLUTION

All data received by the application and can be modified by the user, before making any kind of transaction with them must be validated.

Validate the parameter "item" on the page "/help/help_language.php" line 34:

$help_item = $_GET['item'];

switch($_GET['type'] ) { case 'admin': header('Location: '.BASE_URL.'help/'.$lang_prefix.'_help_admin.php#'.$help_item ); break;

case 'help': default: header('Location: '.BASE_URL.'help/'.$lang_prefix.'_help.php#'.$help_item ); break;

VIII. REFERENCES

http://webcollab.sourceforge.net http://www.isecauditors.com

IX. CREDITS

This vulnerability has been discovered and reported by Manuel Garcia Cardenas (mgarcia (at) isecauditors (dot) com).

X. REVISION HISTORY

March 21, 2013: Initial release

XI. DISCLOSURE TIMELINE

March 21, 2013: Vulnerability acquired by Internet Security Auditors (www.isecauditors.com) March 22, 2013: CVE-ID requested and received. October 17, 2013: First contact with the developer. We send pre-advisory October 18, 2013: Developer team release a new version October 24, 2013: Advisory Release

XII. LEGAL NOTICES

The information contained within this advisory is supplied "as-is" with no warranties or

guarantees of fitness of use or otherwise. Internet Security Auditors accepts no responsibility for any damage caused by the use or misuse

of this information.

XIII. ABOUT

Internet Security Auditors is a Spain based leader in web application testing, network security,

penetration testing, security compliance implementation and assessing. Our clients include some of the largest companies in areas such as

finance, telecommunications, insurance, ITC, etc. We are vendor independent provider with a deep expertise since 2001. Our efforts in R&D include

vulnerability research, open security project collaboration and whitepapers, presentations and security events participation and promotion. For

further information regarding our security services, contact us.