[30833] in bugtraq
Re: CGI.pm vulnerable to Cross-site Scripting
daemon@ATHENA.MIT.EDU (Erwann CORVELLEC)
Mon Jul 21 15:53:34 2003
Message-ID: <3F1C40D1.5090404@free.fr>
Date: Mon, 21 Jul 2003 21:36:49 +0200
From: Erwann CORVELLEC <Erwann.Corvellec@free.fr>
MIME-Version: 1.0
To: bugtraq@securityfocus.com, lstein@cshl.org
In-Reply-To: <1058738554.2822.15.camel@hotwire.ob5cure.com>
Content-Type: multipart/mixed;
boundary="------------040603050409050506020805"
--------------040603050409050506020805
Content-Type: text/plain; charset=ISO-8859-15; format=flowed
Content-Transfer-Encoding: 8bit
Please find attached a more thorough patch against version 2.93 of CGI.pm
Lincoln, could you include it in an urgent security release please ?
Le 21/07/2003 00:06, obscure a écrit :
> Advisory Title: CGI.pm vulnerable to Cross-site Scripting.
> Release Date: July 19 2003
>
> Application: CGI.pm - which is by default included in many common Perl
> distributions.
>
>
> Platform: Most platforms. Tested on Apache and IIS.
>
> Version: CGI.pm
>
> Severity: Effects scripts which make use of start_form()
>
> Author:
> Obscure^
> [ obscure@eyeonsecurity.org ]
>
> Vendor Status:
> first informed on 30th April 2003
> Although the author told EoS that he will be releasing a fix within a
> week from his last correspondence (May15), no fix is out yet on his
> website.
>
>
> Web:
>
> http://stein.cshl.org/WWW/software/CGI/
> http://eyeonsecurity.org/advisories/
>
>
> Background.
>
> (extracted from
> http://stein.cshl.org/WWW/software/CGI/)
>
> This perl 5 library uses objects to create Web fill-out forms on the fly
> and to parse their contents. It provides a simple interface for parsing
> and interpreting query strings passed to CGI scripts. However, it also
> offers a rich set of functions for creating fill-out forms. Instead of
> remembering the syntax for HTML form elements, you just make a series of
> perl function calls. An important fringe benefit of this is that the
> value of the previous query is used to initialize the form, so that the
> state of the form is preserved from invocation to invocation. .
>
>
> Problem
>
> CGI.pm has the ability to create forms by making use of the start_form()
> function. The developer/perl scripter can also makes use of
> start_multipart_form() which relies on start_form() and is therefore
> vulnerable to the same issue. When the action for the form is not
> specified, it is given the value of $self->url(-absolute=>1,-path=>1) -
> which means that when the url is something like the following :
>
> http://host/script.pl?">some%20text<!--%20
>
> .. the form becomes <form action="http://host/script.pl">some text<!-- "
>
>
> In such case, it is possible to exploit this issue to launch a Cross
> Site Scripting attack.
>
> Exploit Examples.
>
> --
> #!/usr/bin/perl
> # example of exploitable script
> #
>
> use CGI;
>
> $q = new CGI;
> print $q->header;
> print $q->start_html('CGI.pm XSS');
> print $q->start_form();
> print $q->end_form();
> print $q->end_html;
>
> --
>
> Fix.
>
> I fixed my CGI.pm by adding the following code at line 1537
>
> $action =~ s/\"/\%22/g;
>
>
> Disclaimer.
>
> The information within this document may change without notice. Use of
> this information constitutes acceptance for use in an AS IS
> condition. There are NO warranties with regard to this information.
> In no event shall the author be liable for any consequences whatsoever
> arising out of or in connection with the use or spread of this
> information. Any use of this information lays within the user's
> responsibility.
>
>
> Feedback.
>
> Please send suggestions, updates, and comments to:
>
> Eye on Security
> mail : obscure@eyeonsecurity.org
> web : http://www.eyeonsecurity.org
--------------040603050409050506020805
Content-Type: text/plain;
name="CGI.pm-2.93-erwann_corvellec-startform-XSS-protection.patch"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline;
filename="CGI.pm-2.93-erwann_corvellec-startform-XSS-protection.patch"
--- CGI.pm.orig 2003-04-28 15:35:56.000000000 +0200
+++ CGI.pm 2003-07-21 20:32:45.000000000 +0200
@@ -1629,7 +1629,7 @@
unless (defined $action) {
$action = $self->url(-absolute=>1,-path=>1);
if (length($ENV{QUERY_STRING})>0) {
- $action .= "?$ENV{QUERY_STRING}";
+ $action .= '?' . $self->escapeHTML($ENV{QUERY_STRING},1);
}
}
$action = qq(action="$action");
--------------040603050409050506020805--
