(Monstra <= 3.0.1 & Anchor <= 0.9) CVE-2014-9006, CVE-2014-9182
2:07 AMMonstra CMS 3.0.1 (current version at the time of writing) and below Vulnerabilities
HTTP Response Splitting (CRLF Injection)
http://packetstormsecurity.com/files/129043/Monstra-3.0.1-HTTP-Response-Splitting.html
/plugins/captcha/crypt/cryptographp.php
<?php...
SetCookie("cryptcookietest", "1");
Header("Location:
cryptographp.inc.php?cfg=".$_GET['cfg']."&sn=".session_name()."&".SID);
... ?>
So providing
http://[host]/[loc]/plugins/captcha/crypt/cryptographp.php?cfg=%0A%0DContent-T
ype:%20text/html%0A%0D%0A%0D%3Cscript%3Ealert%281%29%3C/script%3E& Using %0A%0D%0A%0D will allow you to add headers. this can be used to cause reflective XSS, Content-Spoofing, Open Redirection, and many more.
Would result a CRLF injection.
Note: PHP version must allow multiple headers. this is fixed >5.6.2
Bruteforce Mitigation Bypass [CVE-2014-9006]
http://packetstormsecurity.com/files/129082/Monstra-3.0.1-Bruteforce-Mitigation-Bypass.html
admin/index.php
:33-42
// Admin login
if (Request::post('login_submit')) {
if (Cookie::get('login_attempts') && Cookie::get('login_attempts') >= 5) {
$login_error = __('You are banned for 10 minutes. Try again
later', 'users');
} else {
$user = $users->select("[login='" .
trim(Request::post('login')) . "']", null);
}
The code blocks bruteforce attempts simply by placing a cookie called "login_attempts" in the victims browser an attacker can craft a bruteforce scriptthat either clears cookies or does not send cookies at all.Anchor CMS <= 0.9.2 Header Injection [CVE-2014-9182]
Anchor CMS versions 0.9.2 and below suffer from a header injection vulnerability.Anchor CMS <= 0.9.2 (Current Version)header injectionin anchor/models/comment.php
<?php
...
$headers = 'MIME-Version: 1.0' . "\r\n";$headers .= 'Content-type: text/html; charset=utf-8' . "\r\n";$headers .= 'From: notifications@' . $_SERVER['HTTP_HOST'] . "\r\n";49: mail($to, __('comments.notify_subject'), $message, $headers);
... ?>
so it is possible to inject arbitary "From" headers or any headerusing CRLF. simply by tampering and changing the host to bad.com orbad.com\r\nNew-Header:Hacked!
7 comments
Thanks for sharing these niche piece of knowledge. Here, I had a solution for my inconclusive problems & it’s really helps me a lot keep updates…
ReplyDeletePHP Course in Chennai|PHP Training Chennai
Thanks for sharing this information. This is very useful. Thanks mate. Excellent post!!!. The strategy you
ReplyDeleteWeb design institute chennai
Maybe you have some mistakes in your code. You can fix them and try again. I've read this guide http://hitthegrade.com last week. It will help in code writing and in future practice.
ReplyDeleteThank you for another fantastic posting.keep sharing..
ReplyDeleteJava Project Center in Chennai | Best Java Projects in Velachery
Impressive blog with lovely information. really very useful article for us thanks for sharing such a wonderful blog...
ReplyDeleteJava Training Center in Chennai | Best J2EE Training Center in Chennai | No.1 Java Training Institution in Velachery | Core Java Training in Chennai
Thanks a lot very much for the high quality and results-oriented help. I won’t think twice to endorse your blog post to anybody who wants and needs support about this area.
ReplyDeletephp training in bangalore
I wish to show thanks to you just for bailing me out of this particular
ReplyDeletetrouble.As a result of checking through the net and meeting
techniques that were not productive, I thought my life was done.
java training in chennai
Note: Only a member of this blog may post a comment.