← Advisories

Toko Lite CMS 1.5.2 (edit.php) HTTP Response Splitting Vulnerability

Medium

Advisory ID

ZSL-2011-5048

Release Date

19 September 2011

Vendor

Toko - http://toko-contenteditor.pageil.net

Affected Version

1.5.2

CVE

N/A

Tested On

Microsoft Windows XP Professional SP3 (EN), Apache 2.2.14 (Win32), PHP 5.3.1, MySQL 5.1.41

Summary

Toko Web Content Editor cms is a compact, multi language, open source web editor and content management system (CMS). It is advanced easy to use yet fully featured program that can be integrated with any existing site. It takes 2 minuets to install even for non technical users.

Description

Input passed to the 'charSet' parameter in 'edit.php' is not properly sanitised before being returned to the user. This can be exploited to insert arbitrary HTTP headers, which are included in a response sent to the user.

/edit.php
----------------
$charSet = "iso-8859-1";
$dir = "ltr";

if ( isset( $_POST[ "charSet" ] ) )
{
    $charSet = $_POST[ "charSet" ];

    if ( $charSet == "windows-1255" )
    {
       $dir = "rtl";
    }
}

header( "Content-Type: text/html; charset=" . $charSet );

Proof of Concept

tokocms_crlf.txtTXT

Disclosure Timeline

N/A

Credits

Vulnerability discovered by Gjoko Krstic

References

[1]http://www.exploit-db.com/exploits/17859/

[2]http://packetstormsecurity.org/files/105218

[3]http://www.securityfocus.com/bid/49673

[4]http://1337day.com/exploits/16939

[5]http://securityreason.com/wlb_show/WLB-2011090085

[6]http://securityreason.com/exploitalert/10843

[7]http://xforce.iss.net/xforce/xfdb/69902

Changelog

19.09.2011Initial release

20.09.2011Added reference [3], [4], [5], [6] and [7]