OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Markus Arndt (markus-arndtweb.de)
Date: Sun Apr 21 2002 - 04:03:07 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    Target:
     Philip Chinery's Guestbook 1.1 (maybee older versions?)

    Vendor:
     http://www.sector7g.de.vu

    Notified Vendor:
     Sure

    Affected Systems:
     Webservers that run "Philip Chinery's Guestbook 1.1"

    Found by:
     Markus Arndt<markus-arndtweb.de>

    Short Description:
     Philip Chinery's Guestbook 1.1 fails to filter out JScript/HTML (CrossSiteScripting)

    This nice lil' guestbook let's the owner choose to filter out Jscript- and/or HTML-entrys..
    Let's see the start of it's sub where it saves an entry:

    ---code starts---

    sub SaveData
    {
        if($kill_html == 1) {
        $Text =~ s/<([^>]|\n)*>//g;
            }
       
        if($kill_html == 2) {
        $Text =~ s/</&lt;/g;
        $Text =~ s/>/&gt;/g;
            }
            
        if ($kill_java) {
            $Text =~ s/<!--(.|\n)*-->//g;
            }
        $Text =~ s/\n/&nbsp;<br>/g;
        $Text =~ tr/|/ /;
        $Text =~ s/\t/&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;/g;
        $Text =~ s/\cM//g;

    ---code ends---

    That's all it filters out.. As we can see it does only filter the comment itself a user wrote!
    For example the fields "Name", "EMail" or "Homepage" are NOT checked!

    So let's build an url to exploit this..

    http://[target]/cgi-bin/guestbook.pl?action=sign&cwrite=none&Name=<script>alert("gotcha!");</script>&EMail=exampleexample.com&Text=css%20example

    This would post a message that would display an alertbox on a visiotrs screen
    when accessing the gb..

    As I noticed the guestbook logs ipadresses but doesn't prevent spam.
    It also automaticly redirects posters back to the mainguestbook-page.
    That makes it very easy to post entrys that e.g. force visitors to spam the guestbook (really anoying).

    Sorry for bad english, hope you can understand what i'm talkin' about. ;)

    Markus Arndt<markus-arndtweb.de>
    http://skka.de
    ______________________________________________________________________________
    100 MB und noch mehr gute Gründe! Jetzt anmelden und profitieren. Da ist mehr
    für Sie drin unter http://club.web.de/?mc=021103