---------- Forwarded message ---------- Date: Wed, 24 Oct 2001 11:18:14 -0200 (BRST) From: MASA <masaat_private> To: BUGTRAQ Mailing List <bugtraqat_private> Subject: Cross-site Scripting Flaw in webalizer -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 MASA:01-01:en - Cross-site Scripting Flaw in webalizer Overview The webalizer is a popular web server log file analysis tool which produces reports in HTML format. Some webalizer versions contains two flaws that may allow a malicious user to insert unquoted data into the generated reports. This may be used to run scripts in the security context of the viewed site, as explained in the [1]CA-2000-02 Malicious HTML Tags Embedded in Client Web Requests CERT/CC advisory (aka "cross-site scripting bug"). Under certain conditions, these flaws may allow a malicious user to run commands remotely on the web server where the reports are stored. Detailed Description The list below summarizes the flaws that may be exploited by a malicious user to inject HTML tags into webalizer reports. Once injected, the malicious data will be processed as soon as a victim user visit the compromised report. Tags in host names The webalizer program blindly trust the data returned by the operating system resolver library, when doing reverse address resolution. A malicious user who has control over a DNS reverse address mapping zone can setup an address with PTR record pointing to a name containing HTML tags, and then access the web server where webalizer is run periodically. When the webalizer program is run on the log files, the address recorded on them will resolve to a name containing the HTML tags, which will be inserted unmodified into the generated HTML reports. Notice that the number of systems made vulnerable by this flaw may be small, as most modern resolver libraries refuse to return host names containing HTML meta-characters. Tags in search keywords The webalizer program has the ability of parsing the contents of HTTP referrer information stored in log files. The data collected is them compared to a list of search engine URLs, so that the program can present the words used to reach the analyzed site. Unfortunately, extracted keywords are stored unmodified in the generated HTML files -- this allow a malicious user to introduce tags directly into the reports, by connecting to the web server and sending a "Referer" HTTP header containing HTML meta-characters. These vulnerabilities may be exploited by a malicious user to run scripts on the user agent (e.g. web browser) accessing the compromised HTML reports, as described by the CERT/CC advisory mentioned above. However, these vulnerabilities are much more dangerous because the unvalidated user input is not output dynamically, but written to files on the web server file system instead. If these files are going to be interpreted by some scripting engine (such as Apache SSI, PHP, etc.), a malicious user can inject special tags that may trigger the script interpreter. This may allow the malicious user to run commands remotely on the web server. Impact * Malicious users may run client-side scripts on the web user agent accessing a webalizer report, under the security context of the viewed site. * Malicious users may run commands remotely on the server where the webalizer reports are stored, if they are going to be parsed by scripting engines. Who is Affected These flaws was confirmed in webalizer 2.01-06. Older versions were not tested. To be vulnerable to the "tags in host names" flaw, the following conditions must be met: * DNS name resolution is enabled in webalizer (e.g. the option --enable-dns was used when calling configure). * The operating system resolver library does not filter out HTML meta-characters in returned host names. To be vulnerable to the "tags in search keywords" flaw, the following conditions must be met: * HTTP referrer information is being output to log files to be analyzed by webalizer. * The webalizer program is configured to parse HTTP referrer information looking for search engine URLs. Unfortunately, this is enabled by default on the sample configuration file installed with the program, and the program will silently enable it, if no configuration file is being used. Solution/workarounds The author of webalizer were contacted and provided a fix for these issues. A patch is available at [2]ftp://ftp.mrunix.net/pub/webalizer/sec-fix.patch. Acknowledgments Thanks to Bradford L. Barrett <[3]bradat_private> (the author of webalizer) for promptly replying and providing a fix. Additional Information MASA:01-01:en Copyright © 2001 by Magnux Software, Rio de Janeiro/Brazil. All rights reserved. This document may be copied and distributed freely in electronic form, provided that you keep it unchanged. Parts of it may be used unchanged and in electronic form only without the need of explicitly author authorization, provided that proper credits are given in the form "MASA:01-01:en from Magnux Software (http://www.magnux.com/)". To copy or reprint the whole or any part of this document in any other non-electronic medium, contact <[4]masaat_private>. The information in this document may change without notice. The information contained in this document is provided for EDUCATIONAL PURPOSE ONLY and without ANY WARRANTY. In no event shall the author be liable for any damages whatsoever arising out of or in connection with the use or spread of this information. Any use of this information is at the user's own risk. This advisory and further updates, plus other advisories issued by Magnux Software, can be found on the [5]MASA Advisories Page on the [6]Magnux Software INTL web site. Questions about Magnux Software may be sent to <[7]adminat_private>. GPG keys are available at [8]http://www.magnux.com/gpg-keys.txt. References 1. http://www.cert.org/advisories/CA-2000-02.html 2. ftp://ftp.mrunix.net/pub/webalizer/sec-fix.patch 3. mailto:bradat_private 4. mailto:masaat_private 5. http://intl.magnux.com/masa/ 6. http://intl.magnux.com/ 7. mailto:adminat_private 8. http://www.magnux.com/gpg-keys.txt -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE71ehbCd55iUBoMvYRAu5DAKCBLgbIE88hQoX8lRw64MRy8q02SwCeM2Om +O4EkAD/ktktxJr3qyzg18I= =YL3b -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: loganalysis-unsubscribeat_private For additional commands, e-mail: loganalysis-helpat_private
This archive was generated by hypermail 2b30 : Wed Oct 24 2001 - 12:54:58 PDT