Aerosol Posted March 10, 2015 Report Posted March 10, 2015 *NetCat CMS Multiple HTTP Response Splitting (CRLF) SecurityVulnerabilities*Exploit Title: NetCat CMS Multiple CRLF Security VulnerabilitiesProduct: NetCat CMS (Content Management System)Vendor: NetCatVulnerable Versions: 5.01 3.12 3.0 2.4 2.3 2.2 2.1 2.0 1.1Tested Version: 3.12Advisory Publication: Mar 07, 2015Latest Update: Mar 07, 2015Vulnerability Type: Improper Neutralization of CRLF Sequences ('CRLFInjection') [CWE-93]CVE Reference: *Credit: Wang Jing [Mathematics, Nanyang Technological University (NTU),Singapore]*Advisory Details:**(1) Vendor & Product Description:**Vendor:*NetCat*Product & Version:*NetCat5.01 3.12 3.0 2.4 2.3 2.2 2.1 2.0 1.1*Vendor URL & Download:*NetCat can be got from here,http://netcat.ru/*Product Introduction:*NetCat.ru is russian local company. "NetCat designed to create an absolutemajority of the types of sites: from simple "business card" with a minimumcontent to complex web-based systems, from corporate offices to onlinestores, libraries or media data - in other words, projects completelydifferent directions and at any level of complexity. View examples of sitesrunning on NetCat CMS can be in a special section.""Manage the site on the basis of NetCat can even inexperienced user,because it does not require knowledge of Internet technologies, programmingand markup languages. NetCat constantly improving, adds new features. Inthe process of finalizing necessarily take into account the wishes of ourpartners and clients, as well as trends in Internet development. More than2,000 studios and private web developers have chosen for their projects isNetCat, and in 2013 sites, successfully working on our CMS, created morethan 18,000."*(2) Vulnerability Details:*NetCat web application has a security bug problem. It can be exploited byHTTP Response Splitting (CRLF) attacks. This could allow a remote attackerto insert arbitrary HTTP headers, which are included in a response sent tothe server. If an application does not properly filter such a request, itcould be used to inject additional headers that manipulate cookies,authentication status, or more.*(2.1)* The first code flaw occurs at "/post.php" page with "redirect_url"parameter by adding "%0d%0a%20".*(2.2)* The second code flaw occurs at "redirect.php?" page with "url"parameter by adding "%0d%0a%20".*References:*http://securityrelated.blogspot.com/2015/03/netcat-cms-multiple-http-response.htmlhttp://tetraph.com/security/http-response-splitting-vulnerability/netcat-cms-multiple-http-response-splitting-crlf-security-vulnerabilities/http://www.inzeed.com/kaleidoscope/computer-web-security/netcat-cms-multiple-http-response-splitting-crlf-security-vulnerabilities/http://diebiyi.com/articles/%E5%AE%89%E5%85%A8/netcat-cms-multiple-http-response-splitting-crlf-security-vulnerabilities/https://itswift.wordpress.com/2015/03/07/netcat-cms-multiple-http-response-splitting-crlf-security-vulnerabilities/http://seclists.org/fulldisclosure/2015/Mar/8http://packetstormsecurity.com/files/130584/NetCat-CMS-5.01-Open-Redirect.html--Wang Jing,Division of Mathematical Sciences (MAS),School of Physical and Mathematical Sciences (SPMS),Nanyang Technological University (NTU),Singapore.http://www.tetraph.com/wangjing/https://plus.google.com/u/0/+JingWang-tetraph-justqdjing/postsSource Quote