Submit #813731: SourceCodester SourceCodester KLiK Social Media Website v1.0.1 CRLF Injectioninfo

TitleSourceCodester SourceCodester KLiK Social Media Website v1.0.1 CRLF Injection
DescriptionDuring security testing of the delete-forum.php endpoint, an HTTP header injection vulnerability was identified. The application takes user-supplied input from the page parameter and unsafely concatenates it into the Location HTTP response header without proper validation, sanitization, or encoding. By injecting CR (Carriage Return, %0d) and LF (Line Feed, %0a) characters into the page parameter, an attacker can manipulate the HTTP response structure. The vulnerability is triggered when the application performs a redirect via the header() function after certain conditions are met. Example malicious request: GET /includes/delete-forum.php?id=1&page=forum%0d%0aSet-Cookie:%20session=Hijacked%0d%0aX-IGNORE: HTTP/1.1 Host: target.com Cookie: PHPSESSID=valid_session
Source⚠️ https://github.com/msaad1999/KLiK-SocialMediaWebsite
User
 g111 (UID 92409)
Submission04/27/2026 03:58 (3 months ago)
Moderation05/24/2026 08:52 (27 days later)
StatusDuplicate
VulDB entry365401 [KLiK SocialMediaWebsite 1.0 HTTP GET Request Parameter injection]
Points0

Do you want to use VulDB in your project?

Use the official API to access entries easily!