0day.today - Biggest Exploit Database in the World.
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn
GOLD
Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks!Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Contact us
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Joovili 3.1.8 CRLF injection/HTTP response splitting Vulnerability
[==================================================================
Joovili 3.1.8 CRLF injection/HTTP response splitting Vulnerability
==================================================================
1-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=0
0 _ __ __ __ 1
1 /' \ __ /'__`\ /\ \__ /'__`\ 0
0 /\_, \ ___ /\_\/\_\ \ \ ___\ \ ,_\/\ \/\ \ _ ___ 1
1 \/_/\ \ /' _ `\ \/\ \/_/_\_<_ /'___\ \ \/\ \ \ \ \/\`'__\ 0
0 \ \ \/\ \/\ \ \ \ \/\ \ \ \/\ \__/\ \ \_\ \ \_\ \ \ \/ 1
1 \ \_\ \_\ \_\_\ \ \ \____/\ \____\\ \__\\ \____/\ \_\ 0
0 \/_/\/_/\/_/\ \_\ \/___/ \/____/ \/__/ \/___/ \/_/ 1
1 \ \____/ >> Exploit database separated by exploit 0
0 \/___/ type (local, remote, DoS, etc.) 1
1 1
0 [+] Site : Inj3ct0r.com 0
1 [+] Support e-mail : submit[at]inj3ct0r.com 1
0 0
1 ####################################### 1
0 I'm indoushka member from Inj3ct0r Team 1
1 ####################################### 0
0-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-1
########################################################################
# Vendor: http://www.joovili.com/
# Date: 2010-09-27
# Author : indoushka
# Thanks to : Dz-Ghost Team
# Contact : 00213771818860
# Tested on : windows SP2 Francais V.(Pnx2 2.0)
########################################################################
# Exploit By indoushka
-------------
Vulnerability description:
--------------------------
This script is possibly vulnerable to CRLF injection attacks.
HTTP headers have the structure "Key: Value", where each line is separated by the CRLF combination.
If the user input is injected into the value section without properly escaping/removing CRLF characters
it is possible to alter the HTTP headers structure.
HTTP Response Splitting is a new application attack technique which enables various new attacks such as
web cache poisoning, cross user defacement,
hijacking pages with sensitive user information and cross-site scripting (XSS).
The attacker sends a single HTTP request that forces the web server to form an output stream,
which is then interpreted by the target as two HTTP responses instead of one response.
Affected items:
--------------
/public_www/browse.events.php
/public_www/browse.groups.php
/public_www/browse.music.php
/public_www/browse.users.php
/public_www/browse.videos.php
The impact of this vulnerability:
--------------------------------
Is it possible for a remote attacker to inject custom HTTP headers.
For example, an attacker can inject session cookies or HTML code.
This may conduct to vulnerabilities like XSS (cross-site scripting) or session fixation.
How to fix this vulnerability:
-----------------------------
You need to restrict CR(0x13) and LF(0x10) from the user input or properly encode the output in order to prevent the injection of custom HTTP headers.
# 0day.today [2024-12-26] #