OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
New Vulnerability

From: Joshua P. Miller (jpmillertds.net)
Date: Sun Oct 26 2003 - 00:16:56 CDT


I would like to submit a vulnerability that I just recently discovered. I
have already contacted the vendor of the software that I discovered the bug
in, but they have not gotten back to me. There are two Code Injection/CSS
vulnerabilities that exist in Guestbook Version 1.51 by Chi Kien Uong
(www.proxy2.de). Although I have not checked, it would not come as a
surprise if prior versions are vulnerable as well.

The first vulnerability arises when HTML is enabled. When a user posts a
message with HTML in it, the tags that are used are not filtered in any way.
Thus, anyone viewing the guestbook is vulnerable to attack (redirection,
cookie stealing, etc.)

The second vulnerability is quite a bit less severe. When a user submits an
e-mail address or a URL, double quotation marks are not filtered. So, if the
first character of the e-mail or URL input is a double quotation mark, all
data after that is appended to the e-mail or URL link. If I were to submit
this:

            " onmouseover="alert(document.cookie)

as my e-mail address or homepage URL, that exact attribute would be added to
the link. Anyone viewing the guestbook could be attacked in several of the
same ways as with the first vulnerability that I described. It is less
severe, though, because they would have to click on or hover over the link
to initiate the attack.

These vulnerabilities were discovered on October 23, 2003.

I would appreciate being informed if this vulnerability gets posted. Thanks!

Joshua P. Miller
jpmillertds.net