2006-10-08
andi
"Unsticky" has reported a security problem in fetch.php:
The file fetch.php (ie.: /lib/exe/fetch.php). The previously mentioned script, fetch.php, is vulnerable to HTTP Header injection and Cross-Site Scripting vulnerabilities, via the GET vairable, 'media'. Input into the variable is not properly sanitized, with the only filter I was able to find that the URL must begin with http://. This improper sanitation of the 'media' value allows for the injection of break line characters (ASCII 10 and 13.) to create new
lines and feilds in the returned HTTP Response header. Doing so, allows an attacker to carry out Cross-Site Scripting attacks against users who are tricked into clicking on a link, pointing to a crafted URL utilizing fetch.php. Examples of such attacks could be setting cookies, via the Set-Cookie header, rewriting page contents (allowing for the injection of scripts, ie. XSS), and possibly other attack vectors I have not looked into.