| Title | SourceCodester SourceCodester KLiK Social Media Website v1.0.1 CRLF Injection |
|---|
| Description | During security testing of the delete-forum.php endpoint, an HTTP header injection vulnerability was identified. The application takes user-supplied input from the page parameter and unsafely concatenates it into the Location HTTP response header without proper validation, sanitization, or encoding.
By injecting CR (Carriage Return, %0d) and LF (Line Feed, %0a) characters into the page parameter, an attacker can manipulate the HTTP response structure. The vulnerability is triggered when the application performs a redirect via the header() function after certain conditions are met.
Example malicious request:
GET /includes/delete-forum.php?id=1&page=forum%0d%0aSet-Cookie:%20session=Hijacked%0d%0aX-IGNORE: HTTP/1.1
Host: target.com
Cookie: PHPSESSID=valid_session |
|---|
| Source | ⚠️ https://github.com/msaad1999/KLiK-SocialMediaWebsite |
|---|
| User | g111 (UID 92409) |
|---|
| Submission | 04/27/2026 03:58 (3 months ago) |
|---|
| Moderation | 05/24/2026 08:52 (27 days later) |
|---|
| Status | Duplicate |
|---|
| VulDB entry | 365401 [KLiK SocialMediaWebsite 1.0 HTTP GET Request Parameter injection] |
|---|
| Points | 0 |
|---|