Re: False Positive in cross_site_scripting.nasl

From: Sullo (sqat_private)
Date: Fri Mar 01 2002 - 16:56:39 PST

Next message: Noam Rathaus: "Re: False Positive in cross_site_scripting.nasl"

Previous message: Andrew Hintz (Drew): "False Positive in cross_site_scripting.nasl"
Maybe in reply to: Andrew Hintz (Drew): "False Positive in cross_site_scripting.nasl"
Next in thread: Noam Rathaus: "Re: False Positive in cross_site_scripting.nasl"
Reply: Noam Rathaus: "Re: False Positive in cross_site_scripting.nasl"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Yes, it would report a positive in the case you mention below. The 
question is really is it a false-positive or a real problem?  I've been 
searching the Neohapsis/BugTraq archives and can't find an 
example of CSS in that context.

However, the server is returning unfiltered/parsed/encoded user-
originated content back, which means in some way trust could be 
exploited.    Just because the popular browsers are safe to this 
doesn't mean all web browsers (agents/bots/code) are. But does 
encoding that return break the HTTP rfc?  I'm not sure.

The "fix" for the plugin is to strip (or just ignore) everything up to the 
start of the Content-Type header, but.... I'm not sure that's the right 
answer.  Anyone?

I'll keep researching, though, it's a good observation & interesting 
problem.

Thanks
Sullo

 
> I think that cross_site_scripting.nasl will report a security hole 
when the webserver returns the requested, non-sanitized file 
name in the http status field.  However, the web browsers I tested 
don't treat the http status field as HTML.
> 
> Attached is an updated copy of the css nasl.  
> 
> Here's an example of a session that nessus will false positive 
on:
> 
> [root@nsd2 plugins]# telnet 10.0.0.211 80
> Trying 10.0.0.211...
> Connected to 10.0.0.211.
> Escape character is '^]'.
> GET /<SCRIPT>alert('Vulnerable')</SCRIPT> HTTP/1.1
> 
> HTTP/1.1 404 /<SCRIPT>alert('Vulnerable')</SCRIPT>
> Content-Type: text/html
> Date: Fri, 01 Mar 2002 21:34:28 GMT
> Server: Apache Tomcat/4.0.1 (HTTP/1.1 Connector)
> Connection: close
> 
> <html><head><title>Apache Tomcat/4.0.1 - Error report</title><
STYLE><!--H1{font-family : sans-serif,Arial,Tahoma;color : 
white;background-color : #0086b2;} BODY{font-family : sans-
serif,Arial,Tahooma;color : black;background-color : white;} B{color 
: white;background-color : #0086b2;} HR{color : #0086b2;} --></
STYLE> </head><body><h1>Apache Tomcat/4.0.1 - HTTP Status 
404 - /&lt;SCRIPT&gt;alert('Vulnerable')&lt;/SCRIPT&gt;</h1><HR 
size="1" noshade><p><b>type</b> Status report</p><p><b>
message</b> <u>/&lt;SCRIPT&gt;alert('Vulnerable')&lt;/SCRIPT&
gt;</u></p><p><b>description</b> <u>The requested resource (/&
lt;SCRIPT&gt;alert('Vulnerable')&lt;/SCRIPT&gt;) is not available.</
u></p><HR size="1" noshade></body></html>Connection closed 
by foreign host.
> 
> -- 
> ^Drew
> 
> http://guh.nu
> 
> --Begin PGP Fingerprint--
> 3C6C F712 0A52 BD33 C518  5798 9014 CA99 2DA0 5E78
> --End PGP Fingerprint--

Next message: Noam Rathaus: "Re: False Positive in cross_site_scripting.nasl"
Previous message: Andrew Hintz (Drew): "False Positive in cross_site_scripting.nasl"
Maybe in reply to: Andrew Hintz (Drew): "False Positive in cross_site_scripting.nasl"
Next in thread: Noam Rathaus: "Re: False Positive in cross_site_scripting.nasl"
Reply: Noam Rathaus: "Re: False Positive in cross_site_scripting.nasl"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Mar 01 2002 - 16:57:08 PST