Title: Toko Lite CMS 1.5.2 (edit.php) HTTP Response Splitting Vulnerability
Advisory ID: ZSL-2011-5048
Type: Remote
Impact: Cross-Site Scripting
Risk: (3/5)
Release Date: 19.09.2011

Summary

Toko Web Content Editor cms is a compact, multi language, open source web editor and content management system (CMS). It is advanced easy to use yet fully featured program that can be integrated with any existing site. It takes 2 minuets to install even for non technical users.

Description

Input passed to the 'charSet' parameter in 'edit.php' is not properly sanitised before being returned to the user. This can be exploited to insert arbitrary HTTP headers, which are included in a response sent to the user.

--------------------------------------------------------------------------------

/edit.php
----------------
3: $charSet = "iso-8859-1";
4: $dir = "ltr";
5:
6: if ( isset( $_POST[ "charSet" ] ) )
7: {
8: $charSet = $_POST[ "charSet" ];
9:
10: if ( $charSet == "windows-1255" )
11: {
12: $dir = "rtl";
13: }
14: }
15:
16: header( "Content-Type: text/html; charset=" . $charSet );

--------------------------------------------------------------------------------

Vendor

Toko - http://toko-contenteditor.pageil.net

Affected Version

1.5.2

Tested On

Microsoft Windows XP Professional SP3 (EN)
Apache 2.2.14 (Win32)
PHP 5.3.1
MySQL 5.1.41

Vendor Status

N/A

PoC

tokocms_crlf.txt

Credits

Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk>

References

[1] http://www.exploit-db.com/exploits/17859/
[2] http://packetstormsecurity.org/files/105218
[3] http://www.securityfocus.com/bid/49673
[4] http://1337day.com/exploits/16939
[5] http://securityreason.com/wlb_show/WLB-2011090085
[6] http://securityreason.com/exploitalert/10843
[7] http://xforce.iss.net/xforce/xfdb/69902

Changelog

[19.09.2011] - Initial release
[20.09.2011] - Added reference [3], [4], [5], [6] and [7]

Contact

Zero Science Lab

Web: http://www.zeroscience.mk
e-mail: lab@zeroscience.mk