Technically http response splitting occurs when a web application fails to reject illegal input such as the CR and LF characters. PHP-Nuke's mainfile.php has had the following function in it: function removecrlf($str) { return strtr($str, "\015\012", ' '); } So the power is there to stop it, but it isn't being used. It should be called more frequently on user input validation. However, a one stop shop would be to install mod_security with the appropriate filters. It won't just protect a webapp like php-nuke or postnuke, it'll protect all the pages accessible via Apache. However, $forwarder should only accept URLs, and nothing more in this example. As such, there ought to be a whitelist of characters that are approved for input specific to URLs. But when it comes to CRLFs, I can't see anything at the moment why they ought to be whitelisted. On 15 Apr 2005, JeiAr wrote: > In-Reply-To: <20050416033018.9721.qmail@xxxxxxxxxxxxxxxxxxxxx> > > "Possible Fixes: The usage of htmlspeacialchars(), mysql_escape_string(), mysql_real_escape_string() > and other functions for input validation before passing user input > to the mysql database, or before echoing data on the screen, would solve these > problems." > > The htmlspecialchars() would most definately keep the html code from being rendered, but would it really fix http response splitting? > > Maybe something like this would work better? > > $location = str_replace('\n', '', urldecode($location)); > $location = str_replace('\r', '', urldecode($location)); > $location = str_replace('&', '&', htmlspecialchars($location)); > > James > > > >Dcrab 's Security Advisory > >[Hsc Security Group] http://www.hackerscenter.com/ > >[dP Security] http://digitalparadox.org/ > > > >Get Dcrab's Services to audit your Web servers, scripts, networks, etc. Learn more at http://www.digitalparadox.org/services.ah > > > >Severity: High > >Title: Http Response Splitting Vulnerability In PHP-NUKE 7.6 and below > >Date: 15/04/2005 > > > >Vendor: Php-Nuke > >Vendor Website: http://www.phpnuke.org > >Summary: There are, http response splitting vulnerability in php-nuke 7.6 and below. -- Sincerely, Paul Laudanski .. Computer Cops, LLC. Microsoft MVP Windows-Security 2005 CastleCops(SM)... http://castlecops.com CC Blog ......... http://blog.castlecops.com Staff Blogs ..... http://busterbunny.castlecops.com Our Vision ...... http://castlecops.com/postt63382.html http://cuddlesnkisses.com http://justalittlepoke.com http://zhen-xjell.com ________ Information from Computer Cops, L.L.C. ________ This message was checked by NOD32 Antivirus System for Linux Mail Server. part000.txt - is OK http://castlecops.com