WebCollab 3.30 HTTP Response Splitting



EKU-ID: 3594 CVE: 2013-2652 OSVDB-ID:
Author: Manuel Garcia Cardenas Published: 2013-10-28 Verified: Verified
Download:

Rating

☆☆☆☆☆
Home


=============================================
INTERNET SECURITY AUDITORS ALERT 2013-011
- Original release date: March 21st, 2013
- Last revised:  March 21st, 2013
- Discovered by: Manuel García Cárdenas
- Severity: 5/10 (CVSS Base Score)
- CVE-ID: CVE-2013-2652
=============================================

I. VULNERABILITY
-------------------------
HTTP Response Splitting Vulnerability in WebCollab <= v3.30

II. BACKGROUND
-------------------------
WebCollab is a collaborative Web site for project workgroups. It aims to
be easy and intuitive to

use without being complicated or graphically intensive.

It uses a MySQL/PostgreSQL database backend coupled with PHP scripting
and the Apache webserver.

The last version of WebCollab is 3.30 (Aotuhia) released on February 2013.

III. DESCRIPTION
-------------------------
An input validation problem exists within WebCollab which allows
injecting CR (carriage return -

%0D or \r) and LF (line feed - %0A or \n) characters into the server
HTTP response header,

resulting in a HTTP Response Splitting Vulnerability.

The vulnerability exists in the "item" parameter on the page
"/help/help_language.php".

This vulnerability not only gives attackers control of the remaining
headers and body of the

server response, but also allows them to create additional responses
entirely under their

control.

IV. PROOF OF CONCEPT
-------------------------
Malicious Request:

http://vulnerablesite.com/webcollab/help/help_language.php?item=%0d%0a%20FakeHeader%3a

%20WriteYourOwnHeader&lang=en&type=help

Server Response:

HTTP/1.1 302 Found
Server: Apache/2.4.3 (Win32) OpenSSL/1.0.1c PHP/5.4.7
Location: http://vulnerablesite.com/webcollab/help/en_help.php#
 FakeHeader: WriteYourOwnHeader
Content-Length: 0
Content-Type: text/html

V. BUSINESS IMPACT
-------------------------
Attacker-supplied HTML or JavaScript code could run in the context of
the affected site,

potentially allowing an attacker to steal cookie-based authentication
credentials, control how

the site is rendered to the user, and influence or misrepresent how web
content is served,

cached, or interpreted. Other attacks are also possible.

VI. SYSTEMS AFFECTED
-------------------------
WebCollab <= v3.30

VII. SOLUTION
-------------------------
All data received by the application and can be modified by the user,
before making any kind of
transaction with them must be validated.

Validate the parameter "item" on the page "/help/help_language.php" line 34:

$help_item = $_GET['item'];

switch($_GET['type'] ) {
  case 'admin':
    header('Location:
'.BASE_URL.'help/'.$lang_prefix.'_help_admin.php#'.$help_item );
    break;

  case 'help':
  default:
    header('Location:
'.BASE_URL.'help/'.$lang_prefix.'_help.php#'.$help_item );
    break;

VIII. REFERENCES
-------------------------
http://webcollab.sourceforge.net
http://www.isecauditors.com

IX. CREDITS
-------------------------
This vulnerability has been discovered and reported
by Manuel García Cárdenas (mgarcia (at) isecauditors (dot) com).

X. REVISION HISTORY
------------------------
March    21, 2013: Initial release

XI. DISCLOSURE TIMELINE
-------------------------
March      21, 2013: Vulnerability acquired by
                     Internet Security Auditors (www.isecauditors.com)
March      22, 2013: CVE-ID requested and received.
October    17, 2013: First contact with the developer. We send pre-advisory
October    18, 2013: Developer team release a new version
October    24, 2013: Advisory Release

XII. LEGAL NOTICES
-------------------------
The information contained within this advisory is supplied "as-is" with
no warranties or

guarantees of fitness of use or otherwise.
Internet Security Auditors accepts no responsibility for any damage
caused by the use or misuse

of this information.

XIII. ABOUT
-------------------------
Internet Security Auditors is a Spain based leader in web application
testing, network security,

penetration testing, security compliance
implementation and assessing. Our clients include some of the largest
companies in areas such as

finance, telecommunications, insurance, ITC, etc.
We are vendor independent provider with a deep expertise since 2001. Our
efforts in R&D include

vulnerability research, open security project
collaboration and whitepapers, presentations and security events
participation and promotion. For

further information regarding our security
services, contact us.