Submit #813732: SourceCodester SourceCodester KLiK Social Media Website v1.0.1 CRLF Injectioninfo

TitleSourceCodester SourceCodester KLiK Social Media Website v1.0.1 CRLF Injection
DescriptionDuring security testing of the delete-post.php endpoint, an HTTP header injection vulnerability was discovered in the topic parameter. The application takes user-supplied input from the topic parameter and directly concatenates it into the Location HTTP response header without proper sanitization, validation, or encoding. By injecting CR (Carriage Return, %0d) and LF (Line Feed, %0a) characters into the topic parameter, an attacker can manipulate the HTTP response structure. The vulnerability is triggered when the application performs a redirect via the header() function after specific conditions are met (e.g., SQL statement preparation failures or query results). Example malicious request: GET /includes/delete-post.php?topic=1%0d%0aSet-Cookie:%20session=Hijacked%0d%0aX-IGNORE:&post=123&by=1 HTTP/1.1 Host: target.com Cookie: PHPSESSID=valid_session
Source⚠️ https://github.com/msaad1999/KLiK-SocialMediaWebsite
User
 g111 (UID 92409)
Submission04/27/2026 04:01 (3 months ago)
Moderation05/24/2026 08:52 (27 days later)
StatusDuplicate
VulDB entry365401 [KLiK SocialMediaWebsite 1.0 HTTP GET Request Parameter injection]
Points0

Do you want to use VulDB in your project?

Use the official API to access entries easily!