- Product: Aleph
- Product Version: 20, 21, 22, 23
- Relevant for Installation Type: Dedicated-Direct, Direct, Local, Total Care
This nt.cgi issue showed up in the pentest from a few months ago. Now it's showing in the weekly vulnerability reports.
HTTP Response Splitting Vulnerabilities
HTTP Response Splitting attacks occur when the server script embeds user data in HTTP response headers. Examples of this would be: a script embedding user data in the redirection URL of a redirection response, and a script embedding user data in a cookie value.
As a result of the attack user data can become a part of the HTTP response headers, and can facilitate several attacks: cross-site scripting, web cache poisoning, hijacking pages with user-specific information, and browser cache poisoning.
Any data collected from the client should be URL-encode strings before inclusion into HTTP headers such as Location or Set-Cookie.
Aleph Development has checked this and writes: "We saw a directory /exlibris/aleph/u20_1//alephe/apache/cgi-bin (not cgibin) and under it a file new_titles.cgi (not nt.cgi). If indeed this fits (cgibin to cgi-bin etc...), then it does look as if these URI are indeed custom-made."
"There is no cgi-bin or cgibin in the generic, as-delivered apache; it seems this is something which has been added locally.
If you want to pursue this problem, you will need to reproduce it with the generic, as-distributed apache (as seen in /exlibris/aleph/a20_1/alephe.orig/apache/).
- Article last edited: 16-Aug-2016