← Advisories

Manx cms.xml 1.0.1 Multiple HTTP Response Splitting Vulnerabilities

Medium
Advisory ID
ZSL-2011-5059
Release Date
28 November 2011
Vendor
Paul Jova - http://manx.jovascript.com
Affected Version
1.0.1
CVE
N/A
Tested On
Microsoft Windows XP Professional SP3 (EN), Apache 2.2.21, MySQL 5.5.16, PHP 5.3.8
Summary

Manx is a Content Management System that uses xml text files to store the page contents, instead of a mysql database.

Description

Input passed to the POST parameter 'editorChoice' in 'admin_blocks.php' and 'admin_pages.php' and the POST parameter 'theme' in 'admin_css.php', 'admin_js.php' and 'admin_templates.php' is not properly sanitised before being returned to the user. This can be exploited to insert arbitrary HTTP headers, which are included in a response sent to the user.

header("Location: " . basename($_SERVER['PHP_SELF']) . "?theme=" . $_POST['theme']); header("Location: " . basename($_SERVER['PHP_SELF']) . "?fileName=" . $fileName . "&editorChoice=" . $_POST['editorChoice']);
Proof of Concept
manx_hrs.txtTXT
Disclosure Timeline
03.12.2011Vendor releases patch (http://manx.jovascript.com/downloads.php).
Credits
Vulnerability discovered by Gjoko Krstic
References
[1]http://packetstormsecurity.org/files/107354
[2]http://secunia.com/advisories/47002/
[3]http://www.securityfocus.com/bid/50862
[4]http://xforce.iss.net/xforce/xfdb/71516
[5]http://osvdb.org/show/osvdb/77408
[6]http://osvdb.org/show/osvdb/77409
[7]http://osvdb.org/show/osvdb/77410
[8]http://osvdb.org/show/osvdb/77411
[9]http://osvdb.org/show/osvdb/77412
Changelog
28.11.2011Initial release
29.11.2011Added reference [1]
30.11.2011Added reference [2]
01.12.2011Added reference [3], [4], [5], [6], [7], [8] and [9]
03.12.2011Added vendor status