[SUPERPETZ ADVISORY #002- Faq-O-Matic Cross-Site Scripting Vulnerability] /\_/\ + :_ _: ++ :>o<:_____+++ \-/______++ /\ /\ (collect them all! this one is a lynx!!) TITLE: Faq-O-Matic Cross-Site Scripting Vulnerability ----- discovery date: February 1st, 2002 -------------- publication date: February 4th, 2002 ---------------- impact: low-to-low-medium ------ local: no way! ----- remote: yes! ------ introduction: ------------ This is a great little product for managing a bunch of FAQs. It allows people who visit the site to maintain the FAQ by adding new questions and answers and stuff like that. It has quite a pleasing colour scheme. Also the name of the product has some real pep, it reminds me of a vacuum cleaner. Vrooooooom! Though it is obvious by the motif of the Faq-O-Matic website that they are aiming for more of a food processor feel. Check it out here: http://faqomatic.sourceforge.net/fom-serve/cache/1.html Faq-O-Matic is open-source. It appears to be quite popular. Additionally, a huge body of people have contributed to it. Faq-O-Matic 2.712 was the version I tested. At the time of writing, this is the most recent stable version of the software. The vendor's personal page has a wonderful picture of a sassy-looking green cat: http://www.cs.dartmouth.edu/~jonh/whome2/image=L500dejo.html background: ---------- Faq-O-Matic has some cross-site scripting problems. Cross-Site Scripting, in short, is a type of problem that allows a malicious person to make a nice person run some JavaScript in their browser. The JavaScript is executed on the victim and is in the context of the super website running Faq-O-Matic Frequently Asked Question manager. For more information on cross-site scripting, check it here: http://www.cert.org/advisories/CA-2000-02.html http://httpd.apache.org/info/css-security/ I just picked this program at random because I liked the peppy name. It turns out there was a very recent discussion on the Faq-O-Matic mailing list about the possibility of CSS bugs. So this is pretty timely. details: ------- You can reproduce this condition with the following example: http://faqomaticsite/cgi-bin/fom/fom.cgi?cmd=