← Advisories

Kallithea 0.2.9 (came_from) HTTP Response Splitting Vulnerability

Medium

Advisory ID

ZSL-2015-5267

Release Date

07 October 2015

Vendor

Kallithea - https://www.kallithea-scm.org

Affected Version

0.2.9 and 0.2.2

CVE

CVE-2015-5285

Tested On

Kali, Python

Summary

Kallithea, a member project of Software Freedom Conservancy, is a GPLv3'd, Free Software source code management system that supports two leading version control systems, Mercurial and Git, and has a web interface that is easy to use for users and admins.

Description

Kallithea suffers from a HTTP header injection (response splitting) vulnerability because it fails to properly sanitize user input before using it as an HTTP header value via the GET 'came_from' parameter in the login instance. This type of attack not only allows a malicious user to control the remaining headers and body of the response the application intends to send, but also allow them to create additional responses entirely under their control.

Proof of Concept

kallithea_http.txtTXT

Disclosure Timeline

21.09.2015Vulnerability discovered.

22.09.2015Vendor contacted.

22.09.2015Vendor responds asking more details.

23.09.2015Sent details to the vendor.

23.09.2015Vendor confirms the issue planing to fix in version 0.3.

24.09.2015Working with the vendor.

24.09.2015CVE-2015-5285 assigned.

02.10.2015Vendor releases version 0.3 to address this issue.

07.10.2015Coordinated public security advisory released.