Manx cms.xml 1.0.1 Multiple HTTP Response Splitting Vulnerabilities

2011-11-28T00:00:00
ID ZSL-2011-5059
Type zeroscience
Reporter Gjoko Krstic
Modified 2011-11-28T00:00:00

Description

Title: Manx cms.xml 1.0.1 Multiple HTTP Response Splitting Vulnerabilities
Advisory ID: ZSL-2011-5059
Type: Remote
Impact: Cross-Site Scripting
Risk: (3/5)
Release Date: 28.11.2011

Summary

Manx is a Content Management System that uses xml text files to store the page contents, instead of a mysql database.

Description

Input passed to the POST parameter 'editorChoice' in 'admin_blocks.php' and 'admin_pages.php' and the POST parameter 'theme' in 'admin_css.php', 'admin_js.php' and 'admin_templates.php' is not properly sanitised before being returned to the user. This can be exploited to insert arbitrary HTTP headers, which are included in a response sent to the user.

--------------------------------------------------------------------------------

header("Location: " . basename($_SERVER['PHP_SELF']) . "?theme=" . $_POST['theme']); header("Location: " . basename($_SERVER['PHP_SELF']) . "?fileName=" . $fileName . "&editorChoice=" . $_POST['editorChoice']);
--------------------------------------------------------------------------------

Vendor

Paul Jova - <http://manx.jovascript.com>

Affected Version

1.0.1

Tested On

Microsoft Windows XP Professional SP3 (EN)
Apache 2.2.21
MySQL 5.5.16
PHP 5.3.8

Vendor Status

[03.12.2011] Vendor releases patch (<http://manx.jovascript.com/downloads.php>).

PoC

manx_hrs.txt

Credits

Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk>

References

[1] <http://packetstormsecurity.org/files/107354>
[2] <http://secunia.com/advisories/47002/>
[3] <http://www.securityfocus.com/bid/50862>
[4] <http://xforce.iss.net/xforce/xfdb/71516>
[5] <http://osvdb.org/show/osvdb/77408>
[6] <http://osvdb.org/show/osvdb/77409>
[7] <http://osvdb.org/show/osvdb/77410>
[8] <http://osvdb.org/show/osvdb/77411>
[9] <http://osvdb.org/show/osvdb/77412>

Changelog

[28.11.2011] - Initial release
[29.11.2011] - Added reference [1]
[30.11.2011] - Added reference [2]
[01.12.2011] - Added reference [3], [4], [5], [6], [7], [8] and [9]
[03.12.2011] - Added vendor status

Contact

Zero Science Lab

Web: <http://www.zeroscience.mk>
e-mail: lab@zeroscience.mk

                                        
                                            &lt;html&gt;&lt;head&gt;&lt;title&gt;403 Nothing to see.&lt;/title&gt;
&lt;link rel="Shortcut Icon" href="favicon.ico" type="image/x-icon"&gt;
&lt;style type="text/css"&gt;
&lt;!--
body {
	background-color: #000;
}
body,td,th {
	font-family: Verdana, Geneva, sans-serif;
}
a:link {
	color: #008FEF;
	text-decoration: none;
}
a:visited {
	color: #008FEF;
	text-decoration: none;
}
a:hover {
	text-decoration: underline;
	color: #666;
}
a:active {
	text-decoration: none;
}
--&gt;
&lt;/style&gt;
&lt;/head&gt;
&lt;body bgcolor=black&gt;
&lt;center&gt;
&lt;font color="#7E88A3" size="2"&gt;
&lt;br /&gt;&lt;br /&gt;
&lt;h1&gt;403 Nothing to see.&lt;/h1&gt;

You do not have the powah for this request /403.shtml&lt;br /&gt;&lt;br /&gt;
&lt;font size="2"&gt;&lt;a href="https://www.zeroscience.mk"&gt;https://www.zeroscience.mk&lt;/a&gt;&lt;/font&gt;
&lt;/font&gt;&lt;/center&gt;
&lt;/body&gt;&lt;/html&gt;