discussions.apple.com, Resolved, XSS, Cross Site Scripting, CWE-79, CAPEC-86, Javascript Injection, Example, PoC, Report
Sun, 25 Mar 2012 14:00:00 +0000
CVE-2011-4763, Plesk Site Editor, CPanel 10.2.x, XSS, SQL Injection, CVE-2011-4764, CVE-2011-4765, CVE-2011-4766, CVE-2011-4767, CVE-2011-4768
Mon, 06 Feb 2012 13:34:00 +0000
SSO, XSS, CVE-2011-4745, PSA v10.3.1_build1013110726.09 os_RedHat el6, Billing Manager, CVE-2011-4746, CVE-2011-4747, CVE-2009-3555, CVE-2011-4748, CVE-2011-4749
Sun, 11 Dec 2011 23:10:00 +0000
CVE-2011-4734, Plesk Control Panel for Windows Version 10.2.x Build 20110407.20,CVE-2011-4735, CVE-2011-4736, CVE-2011-4737, CVE-2011-4738, CVE-2011-4739, CVE-2011-4740, CVE-2011-4741, CVE-2011-4742, CVE-2011-4743, CVE-2011-4744
Sun, 11 Dec 2011 22:33:00 +0000
CVE-2011-4753, Plesk Control Panel for Windows Version 10.2.0, CVE-2011-4754, CVE-2011-4755, CVE-2011-4756, CVE-2011-4757, CVE-2011-4758, CVE-2011-4759, CVE-2011-4760, CVE-2011-4761, CVE-2011-4762
Sun, 11 Dec 2011 22:22:00 +0000
CVE-2011-4725, Plesk Parallels Panel Version psa v10.2.0_build1011110331.18 os_RedHat el6, CVE-2011-4726, CVE-2011-4727, CVE-2011-4728, CVE-2011-4729, CVE-2011-4730, CVE-2011-4731, CVE-2011-4732, CVE-2011-4733
Sun, 11 Dec 2011 22:06:00 +0000
Commentary, Apple, Vulnerability Reporting, Stats, Burp Suite Pro, DOMinator, FuzzDB, Best Practices, Full Disclosure, Metrics, CoTs
Thu, 17 Nov 2011 22:36:00 +0000
|
|
Unfiltered Header Injection in Apache 1.3.34/2.0.57/2.2.1, CWE-113 PoC, Expect RXSS
HTTP Header Injection Reports | HTTPi - Set Cookie PoC | HTTPi - Location Response PoC | HTTPi - Eyeblaster Cookie PoC
Loading
CWE-113: HTTP header injection vulnerabilities arise when user-supplied data is copied into a response header in an unsafe way.
If an attacker can inject newline characters into the header, then they can inject new HTTP headers and also, by injecting an empty line, break out of the headers into the message body and write arbitrary content into the application's response. Various kinds of attack can be delivered via HTTP header injection vulnerabilities. Any attack that can be delivered via cross-site scripting can usually be delivered via header injection, because the attacker can construct a request which causes arbitrary JavaScript to appear within the response body. Further, it is sometimes possible to leverage header injection vulnerabilities to poison the cache of any proxy server via which users access the application. Here, an attacker sends a crafted request which results in a "split" response containing arbitrary content. If the proxy server can be manipulated to associate the injected response with another URL used within the application, then the attacker can perform a "stored" attack against this URL which will compromise other users who request that URL in future.
Including unvalidated data in an HTTP header allows an attacker to specify the entirety of the HTTP response rendered by the browser. When an HTTP request contains unexpected CR (carriage return, also given by %0d or \r) and LF (line feed, also given by %0a or \n) characters the server may respond with an output stream that is interpreted as two different HTTP responses (instead of one). An attacker can control the second response and mount attacks such as cross-site scripting and cache poisoning attacks.
A HTTP Header Injection Vulnerability means an Attacker can inject malicious input that goes into HTTP headers without proper input filtering. The Application Response contained a CRLF (New line) injection in the HTTP headers.
Depending on the application. An attacker might carry out the following forms of attacks:
- Cross-site Scripting attack which can lead to session hijacking
- Session fixation attack by setting a new cookie, which can again lead to session hijacking
Actions to Take
- See the remedy for solution.
- Ensure the server security patches are up to date and that the current stable version of the software is in use.
Do not allow newline characters in input. Where possible use strict white listing. If possible, applications should avoid copying user-controllable data into HTTP response headers. If this is unavoidable, then the data should be strictly validated to prevent header injection attacks. In most situations, it will be appropriate to allow only short alphanumeric strings to be copied into headers, and any other input should be rejected. At a minimum, input containing any characters with ASCII codes less than 0x20 should be rejected.
Required Skills for Successful Exploitation
Crafting the attack to exploit this issue is not a complex process. However most of the unsophisticated attackers will not know that such an attack is possible. Also an attacker needs to reach his victim by an e-mail or other similar method in order to entice them to visit the site or click upon a URL.
External References
|
|