Another Faq-O-Matic XSS Vuln?

From: BrainRawt . (brainrawtat_private)
Date: Fri Apr 19 2002 - 16:03:49 PDT

Next message: gcsb: "Vulnerability in PostCalendar"

Previous message: Bronek Kozicki: "Re: Microsoft Security Bulletin - MS02-020"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Another Faq-O-Matic XSS Vuln?
-----------------------------

I have seen other XSS advisories on bugtraq and securityfocus for 
Faq-O-Matic,
but I have not seen an advisory for this particular vulnerability.

Faq-O-Matic XSS (cross site scripting) Vulnerability
Disovered By BrainRawt (http://rawt.daemon.sh)


About Faq-O-Matic:
------------------
The Faq-O-Matic is a CGI-based system that automates the process of 
maintaining
a FAQ (or Frequently Asked Questions list). It allows visitors to your FAQ 
to
take part in keeping it up-to-date.  Faq-O-Matic can be downloaded @
http://sourceforge.net/projects/faqomatic


Vulnerable (tested) Versions:
--------------------
Faq-O-Matic 2.712
Faq-O-Matic 2.711

Vendor Contact:
----------------
4-19-02 - An email was sent to jonhowell at users.sourceforge.net discussing
           this issue.

4-19-02 0 An email was received from Jon Howell claiming that this
           vulnerability and others have been fixed in the current CVS tree,
           which hasnt been released yet.

NOTE:  Jon seems like a great guy and as you can see by the date, replied to 
my
        email VERY quickly.  Thanks alot Jon for your quick reply and I hope 
to
        see that new CVS tree released soon.


Vulnerability:
----------------
Faq-O-Matics fom.cgi improperly filters "file" which can be changed by 
visitors
to the site.  If the "file" doesnt exist, the script prints it to the html.
A malicious vistor to this website can change "file" from its original call
and insert javascript into the site.  This vulnerability can be used for 
various
reasons from website redirection to cookie theft.

Exploit (POC):
----------------
http://www.target.net/path_to_Faq-O-Matic/fom?file=>alert('If+this+script
+was+modified,+it+could+easily+steal+amigadev.net+cookies+and+log+them+to+a+remote
+location')</script>&step

--------------------------------------------------------------------------
Which Looks Better? BlackHat or White?  You Decide! - BrainRawt

_________________________________________________________________
Join the world’s largest e-mail service with MSN Hotmail. 
http://www.hotmail.com

Next message: gcsb: "Vulnerability in PostCalendar"
Previous message: Bronek Kozicki: "Re: Microsoft Security Bulletin - MS02-020"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Sat Apr 20 2002 - 12:22:38 PDT