Kallithea 0.2.9 (came_from) HTTP Response Splitting Vulnerability
Title: Kallithea 0.2.9 (came_from) HTTP Response Splitting Vulnerability
Advisory ID: ZSL-2015-5267
Type: Local/Remote
Impact: Cross-Site Scripting
Risk: (3/5)
Release Date: 07.10.2015
Python
[22.09.2015] Vendor contacted.
[22.09.2015] Vendor responds asking more details.
[23.09.2015] Sent details to the vendor.
[23.09.2015] Vendor confirms the issue planing to fix in version 0.3.
[24.09.2015] Working with the vendor.
[24.09.2015] CVE-2015-5285 assigned.
[02.10.2015] Vendor releases version 0.3 to address this issue.
[07.10.2015] Coordinated public security advisory released.
High five to Mads and Andrew!
[2] https://kallithea-scm.org/security/cve-2015-5285.html
[3] https://kallithea-scm.org/repos/kallithea/changeset/38d1c99cd0005c1df5a37692615356c918dbe068
[4] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5285
[5] https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-5285
[6] https://exchange.xforce.ibmcloud.com/vulnerabilities/106915
[7] https://cxsecurity.com/issue/WLB-2015100066
[8] https://packetstormsecurity.com/files/133897/Kallithea-0.2.9-HTTP-Response-Splitting.html
[9] https://www.exploit-db.com/exploits/38424/
[11.10.2015] - Added reference [6], [7] and [8]
[12.10.2015] - Added reference [9]
Web: http://www.zeroscience.mk
e-mail: lab@zeroscience.mk
Advisory ID: ZSL-2015-5267
Type: Local/Remote
Impact: Cross-Site Scripting
Risk: (3/5)
Release Date: 07.10.2015
Summary
Kallithea, a member project of Software Freedom Conservancy, is a GPLv3'd, Free Software source code management system that supports two leading version control systems, Mercurial and Git, and has a web interface that is easy to use for users and admins.Description
Kallithea suffers from a HTTP header injection (response splitting) vulnerability because it fails to properly sanitize user input before using it as an HTTP header value via the GET 'came_from' parameter in the login instance. This type of attack not only allows a malicious user to control the remaining headers and body of the response the application intends to send, but also allow them to create additional responses entirely under their control.Vendor
Kallithea - https://www.kallithea-scm.orgAffected Version
0.2.9 and 0.2.2Tested On
KaliPython
Vendor Status
[21.09.2015] Vulnerability discovered.[22.09.2015] Vendor contacted.
[22.09.2015] Vendor responds asking more details.
[23.09.2015] Sent details to the vendor.
[23.09.2015] Vendor confirms the issue planing to fix in version 0.3.
[24.09.2015] Working with the vendor.
[24.09.2015] CVE-2015-5285 assigned.
[02.10.2015] Vendor releases version 0.3 to address this issue.
[07.10.2015] Coordinated public security advisory released.
PoC
kallithea_http.txtCredits
Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk>High five to Mads and Andrew!
References
[1] https://kallithea-scm.org/news/release-0.3.html[2] https://kallithea-scm.org/security/cve-2015-5285.html
[3] https://kallithea-scm.org/repos/kallithea/changeset/38d1c99cd0005c1df5a37692615356c918dbe068
[4] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5285
[5] https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-5285
[6] https://exchange.xforce.ibmcloud.com/vulnerabilities/106915
[7] https://cxsecurity.com/issue/WLB-2015100066
[8] https://packetstormsecurity.com/files/133897/Kallithea-0.2.9-HTTP-Response-Splitting.html
[9] https://www.exploit-db.com/exploits/38424/
Changelog
[07.10.2015] - Initial release[11.10.2015] - Added reference [6], [7] and [8]
[12.10.2015] - Added reference [9]
Contact
Zero Science LabWeb: http://www.zeroscience.mk
e-mail: lab@zeroscience.mk
