Phpwind v9.0 vulnerability in chicken ribs

Although I have set the reading permission for this post, I will not name it if our moderators, core, and honors have lent their IDs to others.

If some of your friends in the internal team really need an ID to read the post in the Forum, let me know. I will give you an invitation code.

Lending your high-Permission ID to others is not responsible for the organization, but I do not want to hold everyone accountable for such a small matter, but this does not mean that I do not know.

========================================================== ======

This vulnerability was accidentally discovered and found to be of little use after testing.

The latest phpwind v9.0 version has the HTTP Response Splitting vulnerability.

This vulnerability is estimated to have seen a lot of play, I also sent a discussion post in this regard: http://sb.f4ck.net/thread-8115-1-1.html

Phpwind v9.0 records the URL of the last accessed page and writes the URL to the cookie, however, in the process of writing a cookie using SetCookie, the line break is not properly intercepted. As a result, attackers can control the end Of the SetCookie and start a new Http Response Header, in this way, there is a security problem, that is, the HTTP Response Splitting vulnerability.

The pid parameter of index. php is affected. I have not tested other parameters.

Test it on the official website. Visit

Http://www.phpwind.net/index.php? A = jump & amp; c = read & amp; pid = 1

The Http Response Header is:
 

 

 

 

In the SetCookie section, we can see that a cookie named xtR_lastvisit has been set. Let's take a look at the configured cookie:

OK. This is normal, and the problem is the SetCookie part.

Submit a test script:

Http://www.phpwind.net/index.php? A = jump & amp; c = read & amp; pid = % 0d % 0a % 20 CustomInjectedHeader: injected_by_f4ck this time the Http Response Header is:

 

For example, you have successfully inserted an Http Response Header named "CustomInjectedHeader" with the value "injected_by_f4ck". The vulnerability is tested successfully.

How can we use this vulnerability after it is detected and tested successfully?

There is very little information about the HTTP Response Splitting vulnerability in China. Every website has two or three Chinese versions. The others are in English and I cannot understand them, this vulnerability exploitation test failed.

 

There is a document saying that, since we can control the Http Response Header, we should first end the normal Http Response Header, after the end, create another Http Response Header + body content to the browser, the address: http://www.bkjia.com/Article/201304/205070.html
For this deception, here may be a more detailed explanation: http://www.bkjia.com/Article/201304/205071.html
I think this idea may be feasible, so I started testing. Submit: http://www.phpwind.net/index.php?a=jump&c=read&pid=1%0d%0aContent-Length:%200%0d%0a%0d%0aHTTP/1.0%20200%20OK%0d%0aContent-Type:%20text/html%0d%0aContent-Length:%2017%0d%0a%0d%0af4ck Access: the page is blank. the test on the official website fails. Why? I think it is because the error ECHO is disabled. So what will happen if the website does not close the error Echo? Find a website that does not close the error echo and test it. paste the error message: Uncaught error with message 'e _ WARNING: Header may not contain more than a single header, new line detected 'J: \ dcx \ bbs \ wind \ web \ WindHttpResponse. php: 619 614: * @ see IWindResponse: sendHeaders () 615: */616: public function sendHeaders () {617: if ($ this-> isSendedHeader () return; 618: foreach ($ this-> _ headers as $ header) {619: header ($ header ['name']. ':'. $ header ['val Ue '], $ header ['replace']); 620:} 621: if ($ this-> _ status) {622: header ('HTTP/1.x '. $ this-> _ status. ''. ucwords ($ this-> codeMap ($ this-> _ status); 623: header ('status :'. $ this-> _ status. ''. ucwords ($ this-> codeMap ($ this-> _ status) __stack: #12 J: \ dcx \ bbs \ wind \ base \ AbstractWindFrontController. php (245) #11 ~ Internal Location ~ (N/A) _ errorHandle (2, "Header may not contain in more than a single header, new line detec... "," J: \ dcx \ bbs \ wind \ web \ WindHttpResponse. php ", 619, array ('header' => array ('name' => 'location', 'value' =>' http://www.danchexing.com/read.php?tid=4&fid=8&page=1# 1 Content-Length: 0 HTTP/1.0 200 OK Content-Type: text/html Content-Length: 17

This test was successful and failed.

 

Why is it successful? Because our injection is successful, it indicates that this vulnerability exists.
Why is it a failure? Because the development framework windframework used by phpwind detects redundant Http Response Headers and intercepts this injection, HTTP Response Splitting fails.

This is all the test process, the last post a widely spread in China HTTP Response Splitting vulnerability information: http://www.bkjia.com/Article/200812/30939.html
 

OVER.