| Title | SourceCodester SourceCodester KLiK Social Media Website v1.0.1 CRLF Injection |
|---|
| Description | HTTP header injection (CRLF injection) was discovered in the page parameter of dbh.inc.php and delete-forum.php. During security testing, it was found that unauthenticated attackers (with a valid user session and level 1 privileges) can inject CRLF sequences into the Location header, leading to HTTP response splitting, session fixation, and cross-site scripting (XSS).
Example malicious request:
GET /includes/dbh.inc.php?id=1&page=forum%0d%0aSet-Cookie:%20session=Hijacked%0d%0aX-IGNORE: HTTP/1.1
Host: target.com
Cookie: PHPSESSID=valid_session |
|---|
| Source | ⚠️ https://github.com/msaad1999/KLiK-SocialMediaWebsite |
|---|
| User | g111 (UID 92409) |
|---|
| Submission | 04/27/2026 03:54 (3 months ago) |
|---|
| Moderation | 05/24/2026 08:52 (27 days later) |
|---|
| Status | Duplicate |
|---|
| VulDB entry | 365401 [KLiK SocialMediaWebsite 1.0 HTTP GET Request Parameter injection] |
|---|
| Points | 0 |
|---|