Vulnerabilities > CVE-2005-1951 - HTTP Response Splitting vulnerability in osCommerce

047910
CVSS 5.0 - MEDIUM
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
NONE
Integrity impact
PARTIAL
Availability impact
NONE
network
low complexity
oscommerce
nessus
exploit available
NVD
Published: 2005-06-16
Updated: 2016-10-18

Summary

Multiple HTTP Response Splitting vulnerabilities in osCommerce 2.2 Milestone 2 and earlier allow remote attackers to spoof web content and poison web caches via hex-encoded CRLF ("%0d%0a") sequences in the (1) products_id or (2) pid parameter to index.php or (3) goto parameter to banner.php.

Vulnerable Configurations

Part Description Count
Application
Oscommerce
4

Exploit-Db

descriptionosCommerce 2.1/2.2 Multiple HTTP Response Splitting Vulnerabilities. CVE-2005-1951. Webapps exploit for php platform
idEDB-ID:25840
last seen2016-02-03
modified2005-06-17
published2005-06-17
reporterJames Bercegay
sourcehttps://www.exploit-db.com/download/25840/
titleosCommerce 2.1/2.2 - Multiple HTTP Response Splitting Vulnerabilities

Nessus

NASL familyCGI abuses : XSS
NASL idOSCOMMERCE_HTTP_RESPONSE_SPLITTING.NASL
descriptionThe version of osCommerce on the remote host suffers from multiple HTTP response splitting vulnerabilities due to its failure to sanitize user-supplied input to various parameters of the
last seen2020-06-01
modified2020-06-02
plugin id18525
published2005-06-18
reporterThis script is Copyright (C) 2005-2018 Tenable Network Security, Inc.
sourcehttps://www.tenable.com/plugins/nessus/18525
titleosCommerce application_top.php Multiple Parameter HTTP Response Splitting
code
#
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
  script_id(18525);
  script_version("1.24");
 script_cvs_date("Date: 2018/11/15 20:50:20");

  script_cve_id("CVE-2005-1951");
  script_bugtraq_id(13979);

  script_name(english:"osCommerce application_top.php Multiple Parameter HTTP Response Splitting");
  script_summary(english:"Checks for multiple HTTP response splitting vulnerabilities in osCommerce");

  script_set_attribute(attribute:"synopsis", value:
"The remote web server contains a PHP application that is susceptible
to multiple HTTP Response splitting attacks." );
  script_set_attribute(attribute:"description", value:
"The version of osCommerce on the remote host suffers from multiple
HTTP response splitting vulnerabilities due to its failure to sanitize
user-supplied input to various parameters of the
'includes/application_top.php' script, the 'goto' parameter of the
'banner.php' script, and possibly others.  An attacker may be able to
exploit these flaws to inject malicious text into HTTP headers,
possibly resulting in the theft of session identifiers and/or
misrepresentation of the affected site." );
   # http://web.archive.org/web/20070523153502/http://www.gulftech.org/?node=research&article_id=00080-06102005
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?3f295f7d");
  script_set_attribute(attribute:"see_also", value:"https://seclists.org/bugtraq/2005/Jun/71" );
  script_set_attribute(attribute:"solution", value:"Unknown at this time.");
 script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N");
 script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
 script_set_attribute(attribute:"exploitability_ease", value:"No exploit is required");
 script_set_attribute(attribute:"exploit_available", value:"false");
 script_cwe_id(20, 74, 79, 442, 629, 711, 712, 722, 725, 750, 751, 800, 801, 809, 811, 864, 900, 928, 931, 990);

 script_set_attribute(attribute:"vuln_publication_date", value:"2005/06/10");
 script_set_attribute(attribute:"plugin_publication_date", value:"2005/06/18");

  script_set_attribute(attribute:"plugin_type", value:"remote");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:oscommerce:oscommerce");
  script_end_attributes();

  script_category(ACT_ATTACK);
  script_family(english:"CGI abuses : XSS");

  script_copyright(english:"This script is Copyright (C) 2005-2018 Tenable Network Security, Inc.");

  script_dependencies("oscommerce_detect.nasl");
  script_exclude_keys("Settings/disable_cgi_scanning");
  script_require_ports("Services/www", 80);
  script_require_keys("www/oscommerce");
  exit(0);
}


include("audit.inc");
include("global_settings.inc");
include("misc_func.inc");
include("http.inc");
include("webapp_func.inc");


port = get_http_port(default:80, php: 1);

# Test an install.
install = get_install_from_kb(appname:'oscommerce', port:port);
if (isnull(install)) exit(0, "osCommerce wasn't detected on port "+port+".");
dir = install['dir'];


# Grab the main page.
res = http_get_cache(item:string(dir, "/index.php"), port:port, exit_on_fail: 1);

# Identify a product.
pat = '/product_info\\.php\\?products_id=([^&"]+)';
matches = egrep(pattern:pat, string:res);
id = NULL;

if (matches)
{
  foreach match (split(matches, keep:FALSE))
  {
    id = eregmatch(pattern:pat, string:match);
    if (!isnull(id))
    {
      id = id[1];
      break;
    }
  }
}
if (isnull(id)) exit(1, "Failed to identify a product in the osCommerce install at "+build_url(port:port, qs:dir+"/")+".");


# Try an exploit. A vulnerable application will output
# a redirect along with our own redirect.
url = string(
  dir, "/index.php?",
  "action=buy_now&",
  "products_id=22=%0d%0aLocation:%20http://127.0.0.1/index.php?script=", SCRIPT_NAME
);

res = http_send_recv3(port:port, method:"GET", item:url, exit_on_fail: 1);

hdrs = parse_http_headers(status_line:res[0], headers:res[1]);
if (isnull(hdrs['$code'])) code = 0;
else code = hdrs['$code'];

if (isnull(hdrs['location'])) location = "";
else location = hdrs['location'];

# There's a problem if we're redirected to our script name.
if (code == 302 && string("127.0.0.1/index.php?script=", SCRIPT_NAME) >< location)
{
  set_kb_item(name:'www/'+port+'/XSS', value:TRUE);
  security_warning(port);
  exit(0);
}
else exit(0, "The osCommerce install at "+build_url(port:port, qs:dir+"/")+" is not affected.");

References