| Title | SourceCodester SourceCodester KLiK Social Media Website v1.0.1 CRLF Injection |
|---|
| Description | During security testing of the delete-post.php endpoint, an HTTP header injection vulnerability was discovered in the topic parameter. The application takes user-supplied input from the topic parameter and directly concatenates it into the Location HTTP response header without proper sanitization, validation, or encoding.
By injecting CR (Carriage Return, %0d) and LF (Line Feed, %0a) characters into the topic parameter, an attacker can manipulate the HTTP response structure. The vulnerability is triggered when the application performs a redirect via the header() function after specific conditions are met (e.g., SQL statement preparation failures or query results).
Example malicious request:
GET /includes/delete-post.php?topic=1%0d%0aSet-Cookie:%20session=Hijacked%0d%0aX-IGNORE:&post=123&by=1 HTTP/1.1
Host: target.com
Cookie: PHPSESSID=valid_session |
|---|
| Source | ⚠️ https://github.com/msaad1999/KLiK-SocialMediaWebsite |
|---|
| User | g111 (UID 92409) |
|---|
| Submission | 04/27/2026 04:01 (3 months ago) |
|---|
| Moderation | 05/24/2026 08:52 (27 days later) |
|---|
| Status | Duplicate |
|---|
| VulDB entry | 365401 [KLiK SocialMediaWebsite 1.0 HTTP GET Request Parameter injection] |
|---|
| Points | 0 |
|---|