Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 71502 - www-apps/phpwebsite: possible http response splitting attack
Summary: www-apps/phpwebsite: possible http response splitting attack
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All All
: High minor (vote)
Assignee: Gentoo Security
URL: http://phpwebsite.appstate.edu/index....
Whiteboard: B4 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2004-11-17 01:11 UTC by Matthias Geerdsen (RETIRED)
Modified: 2004-11-26 12:17 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Matthias Geerdsen (RETIRED) gentoo-dev 2004-11-17 01:11:04 UTC
Posted by: jydallstar on 11/11/2004 11:05
Updated by: jydallstar on 11/16/2004 04:25
Expires: 01/01/2009 12:00
Security Patch

A security vulnerability was brought to our attention recently and we have posted a patch to resolve this issue.

Updated: 12-16-2004 @ 4:26 PM

The patch can be downloaded from here:

http://phpwebsite.appstate.edu/downloads/security/phpwebsite-core-security-patch2.tar.gz
md5sum: 1b3153eed4c026289f8744f65e8b922a

This patch should only be applied to versions 0.9.3-2 or greater. All you need to do is untar the file in the base directory of your phpwebsite install.

Thanks to Maestro De-Seguridad for bringing this problem to our attention.

We will discuss the security hole in more detail after people have had a chance to apply the patch.


The phpWebSite Development Team

_______________________________________

http://securitytracker.com/alerts/2004/Nov/1012200.html :

phpWebSite Input Validation Flaws Let Remote Users Conduct HTTP Response Splitting Attacks
SecurityTracker Alert ID:  1012200
SecurityTracker URL:  http://securitytracker.com/id?1012200
CVE Reference:  GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Nov 12 2004
Impact:  Modification of system information, Modification of user information
Fix Available:  Yes   Exploit Included:  Yes   Vendor Confirmed:  Yes  
Version(s): 0.9.3-4
Description:  A vulnerability was reported in phpWebSite. A remote user can conduct HTTP response splitting attacks.

Maestro reported that the 'index.php' script does not properly validate user-supplied input in several parameters. A remote user can submit a specially crafted HTTP POST request to cause the target server to return a split response. A remote user can exploit this to spoof content on the target server, attempt to poison any intermediate web caches, or conduct cross-site scripting attacks.

A demonstration exploit POST request is provided:

POST /index.php HTTP/1.0
Content-Type: application/x-www-form-urlencoded
Content-length: 218
Connection: Keep-Alive

module=user&norm_user_op=login&block_username=%0d%0aContent-Length:%200%0d%0a%0d%0aHTTP/1.1%20200%20Ok%0d%0aContent-Length:%2031%0d%0aConte nt-Type:%
site in 0wned</html>&password=foobar
Impact:  A remote user can create a request that, when loaded by the target user, will cause arbitrary content to be displayed.

A remote user may be able to poison any intermediate web caches with arbitrary content.
Solution:  The vendor has issued the following patch for 0.9.3-2 or greater:

http://phpwebsite.appstate.edu/downloads/security/phpwebsite-core-security-patch2.tar.gz

md5sum: fcefda44a8d691c844593d815479a1ce
Vendor URL:  phpwebsite.appstate.edu/ (Links to External Site)
Cause:  Input validation error
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)
Reported By:  "Maestro De-Seguridad" <maestrodeseguridad@lycos.com>
Comment 1 Matthias Geerdsen (RETIRED) gentoo-dev 2004-11-17 01:12:46 UTC
Don, pls provide an updated ebuild
Comment 2 Don Seiler (RETIRED) gentoo-dev 2004-11-17 08:53:26 UTC
www-apps/phpwebsite-0.9.3_p4-r2 now in portage.  ~ for all arches.
Comment 3 Thierry Carrez (RETIRED) gentoo-dev 2004-11-17 09:12:05 UTC
Thanks Don.
Arches, please teset and mark www-apps/phpwebsite-0.9.3_p4-r2 stable
Comment 4 Olivier Crete (RETIRED) gentoo-dev 2004-11-18 07:56:11 UTC
the comments in files/postinstall-en.txt are wrong

cd ${MY_HTDOCSDIR}/phpwebsite/setup
should be
/var/www/localhost/htdocs/phpwebsite/setup

(or something like that)
./secure_setup.sh
should be 
./secure_phpws.sh or something like that

anyways.. appart from that it seems ok...
Comment 5 Bryan Østergaard (RETIRED) gentoo-dev 2004-11-21 06:01:42 UTC
*prod* is files/postinstall-en.txt getting fixed?
Comment 6 Thierry Carrez (RETIRED) gentoo-dev 2004-11-23 08:02:30 UTC
rizzo : please fix postinstall-en.txt (no revision needed, I think)
alpha,ppc : please mark stable whatever version is there, the postinstall-en.txt is not a blocker.
Comment 7 Don Seiler (RETIRED) gentoo-dev 2004-11-23 08:11:27 UTC
Fixed.  I wasn't sure about the htdocs location with all the webapp-config stuff, but phpwebsite really handles its own branching anyway, so I've hard coded the /var/www/localhost location as you specified.

Sorry for delay.
Comment 8 Bryan Østergaard (RETIRED) gentoo-dev 2004-11-23 15:55:00 UTC
Stable on alpha.
Comment 9 Joe Jezak (RETIRED) gentoo-dev 2004-11-24 01:01:21 UTC
Marked stable on ppc.
Comment 10 Thierry Carrez (RETIRED) gentoo-dev 2004-11-24 02:00:29 UTC
Maintainer or x86 should mark www-apps/phpwebsite-0.9.3_p4-r2 stable too.
Comment 11 Olivier Crete (RETIRED) gentoo-dev 2004-11-24 11:15:34 UTC
x86 stable.. sorry for the delay
Comment 12 Thierry Carrez (RETIRED) gentoo-dev 2004-11-25 00:49:13 UTC
This calls a vote. I would vote for a GLSA :) phpwebsite is exposed.
Comment 13 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2004-11-25 01:22:52 UTC
I vote for GLSA on this.
Comment 14 Thierry Carrez (RETIRED) gentoo-dev 2004-11-25 01:24:33 UTC
Then GLSA there will be
Comment 15 Matthias Geerdsen (RETIRED) gentoo-dev 2004-11-26 12:17:17 UTC
Thanks everyone.

GLSA 200411-35