0008266: Content Spoofing/Text Injection in this http://http.kali.org/kali%20kali-rolling%20main%20contrib%20non-free domain

ID	Project	Category	View Status	Date Submitted	Last Update

0008266	Kali Linux	General Bug	public	2023-04-15 13:24	2025-07-14 09:36

Reporter	sahalislaam	Assigned To	daniruiz
Priority	normal	Severity	text	Reproducibility	always
Status	closed	Resolution	no change required
Product Version	kali-dev

Summary	0008266: Content Spoofing/Text Injection in this http://http.kali.org/kali%20kali-rolling%20main%20contrib%20non-free domain
Description	Hello team, I have found a content spoofing/Text Injection in this domain http://http.kali.org/kali%20kali-rolling%20main%20contrib%20non-free. I have attached a video for better understanding. Impact An attacker can use text injection vulnerability to present a customized message on the application that can phish users into believing that the message is legitimate. The intent is typical to tick victims, although sometimes the actual purpose may be to simply misrepresent the organization or an individual. This attack is typically used as, or in conjunction with, social engineering because the attack is exploiting a code-based vulnerability and a user’s trust. As a side note, this attack is widely misunderstood as a kind of a bug that brings no impact. Thanks and Regards
Attached Files	kali.org text injection in http header.mp4 (1,844,267 bytes) kali.org text injection in http header.mp4 (1,844,267 bytes)

daniruiz 2023-04-17 11:05 manager ~0017806	I don't see this as a reasonable attack. There's no get variable that can be modified and send to another user trying to fool them. You'd need to manually change the headers of the request. Also the page http.kali.org is meant for `apt` commands to update packages. It isn't a page a regular user would visit

sahalislaam 2023-04-17 11:43 reporter ~0017807	Hello daniruiz, This is not a normal attack for a company. An attacker do some trick with the context injection. They can inject the malicious context and turn into your company user on the malicious site. If you think this is not a major vulnerable then you have to face this problem in the future or any time by a attacker. Thank you & be aware

Date Modified	Username	Field	Change
2023-04-15 13:24	sahalislaam	New Issue
2023-04-15 13:24	sahalislaam	File Added: kali.org text injection in http header.mp4
2023-04-17 11:05	daniruiz	Note Added: 0017806
2023-04-17 11:43	sahalislaam	Note Added: 0017807
2023-04-17 14:24	daniruiz	Assigned To	=> daniruiz
2023-04-17 14:24	daniruiz	Status	new => closed
2023-04-17 14:24	daniruiz	Resolution	open => no change required
2025-07-14 09:36	g0tmi1k	Priority	high => normal