hello, sla.ckers

i'm currently learning HTTP Response Splitting, but still cannot get how to perform this attack
so i have vulnerable site. i'm sure that it's vulnerable because it is CMS and there is security advisory stating that version i use is vulnerable
the only one redirect i've found, is when you are at some page and login via block, you are forwarded to the same page

it looks like

http://www.site.com/?destination=somepage

then you login and gets forwarded to

http://www.site.com/somepage

so, as far as i understood HTTPRS, i should follow something like

http://www.site.com/?destination=%0d%0aContent-Length:%200%0d%0a%0d%0aHTTP/1.1%20200%20OK%0d%0aContent-Type:%20text/html%0d%0aContent-Length:%2019%0d%0a%0d%0a<html>OK</html>

and then login

but

i'm simply forwarded to

http://www.site.com/%0d%0aContent-Length:%200%0d%0a%0d%0aHTTP/1.1%20200%20OK%0d%0aContent-Type:%20text/html%0d%0aContent-Length:%2019%0d%0a%0d%0a<html>Shazam</html>

and it says 404


what am i doing wrong?

---------
http://p0deje.blogspot.com

are you sure it's vulnerable? they are not doing rawurlencode()?

--------------------------------
http://sirdarckcat.blogspot.com/ http://www.sirdarckcat.net/ http://foro.elhacker.net/ http://twitter.com/sirdarckcat

that is Drupal 4.7.7
HTTP Response Splitting was fixed in Drupal 4.7.8 http://drupal.org/node/184315
they've added to common.inc the following thing

// Remove newlines from the URL to avoid header injection attacks.
$url = str_replace(array("\n", "\r"), '', $url);

i've looked through this file and didn't find anything like this, so it's definitely vulnerable

---------
http://p0deje.blogspot.com

well.. the location is being urlencoded..

This "works" (the "" are because php will not allow you to have multiline headers)
http://eaea.sirdarckcat.net/xss.php?redir_xss=%0D%0A%0D%0Ahola

if I dont put %0A I get in firefox:
http://eaea.sirdarckcat.net/xss.php?redir_xss=%0D%0Dhola
redirects to:
http://eaea.sirdarckcat.net/%0D%0Dhola

so.. it may be a browser issue..

It's worth noting that chrome apparently never loads, and IE8 panics and dies with an error.

Greetz!

--------------------------------
http://sirdarckcat.blogspot.com/ http://www.sirdarckcat.net/ http://foro.elhacker.net/ http://twitter.com/sirdarckcat

I don't get it.
1. PHP blocks multiline headers, so it's impossible to perform such attack for PHP-based web applications?
2. Even though request is UrlEncoded, it's still possible to inject CRLF and attack will be performed. Am I right?

---------
http://p0deje.blogspot.com

you have to check the source code.. if they do:
header("Location: ".rawurlencode($url));

then you are out of luck..

if their PHP server disallows multiline headers, then you are out of luck..

Greetings!!

--------------------------------
http://sirdarckcat.blogspot.com/ http://www.sirdarckcat.net/ http://foro.elhacker.net/ http://twitter.com/sirdarckcat

okay
they don't do rawurlencode
and even if PHP doesn't allow multiline header, it would show error about it as in your http://eaea.sirdarckcat.net/xss.php?redir_xss=%0D%0A%0D%0Ahola
then why Drupal just loads 404 page?

---------
http://p0deje.blogspot.com

@p0deje

What version of PHP is it? I think response splitting was fixed in 5 using header()

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

hmm any scripting language shouldn't touch the header in my opinion, because it's easy to make a mistake or forget it at some other script, or even open up a new can of worms. It's better to do that global with Apache, e.g. mod rewrite in htaccess/httpd.conf

That said, you really shouldn't try this with a browser, because it's unreliable. use netcat or some other script that can create sockets from scratch.



Edited 2 time(s). Last edit at 11/13/2009 09:38AM by rvdh.

@Gareth

you are right - it's 5

---------
http://p0deje.blogspot.com