GFI Kerio Control Open Redirect and HTTP Response Splitting Vulnerability Allowing Reflected Cross-Site Scripting and Remote Code Execution

A vulnerability exists in GFI Kerio Control versions 9.2.5 prior to 9.4.5, where the 'dest' GET parameter is not properly sanitized on several non-authenticated pages. This lack of sanitation allows for HTTP Response Splitting and Open Redirect attacks, which can be exploited to perform Reflected Cross-Site Scripting (XSS). Additionally, remote code execution can be achieved by leveraging the XSS vulnerability through a known exploit that takes advantage of an upload feature in the admin interface.

Impact

Exploitation of this vulnerability allows for Open Redirect and HTTP Response Splitting attacks, which can be used to perform Reflected Cross-Site Scripting. According to the original advisory, this XSS vulnerability can be exploited to achieve remote code execution on the affected system.

Reproduction

The vulnerability can be reproduced by sending a GET request to one of the affected pages with a 'dest' parameter that includes a Base64-encoded payload. The payload can be crafted to include linefeed characters, which are not properly sanitized, allowing for HTTP Response Splitting. Once the response is received, the injected payload can be executed, such as an XSS script that alerts the document domain.

Remediation

GFI Software has stated that these vulnerabilities were fixed in Kerio Control version 9.4.5p1, which is currently with their internal QA team.