[UNIX] Cross-Site Scripting Flaw in Webalizer

From: support@securiteam.com
Date: 10/28/01

From: support@securiteam.com
To: list@securiteam.com
Subject: [UNIX] Cross-Site Scripting Flaw in Webalizer
Message-Id: <20011028220518.60544138BF@mail.der-keiler.de>
Date: Sun, 28 Oct 2001 23:05:18 +0100 (CET)

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -

  Cross-Site Scripting Flaw in Webalizer


The webalizer is a popular web server log file analysis tool that produces
reports in HTML format. Some webalizer versions contain two flaws that may
allow a malicious user to insert unquoted data into the generated reports.
This may be used to run scripts in the security context of the viewed
site, as explained in <
http://www.securiteam.com/exploits/5IP000K0LI.html> CA-2000-02. Malicious
HTML Tags Embedded in Client Web Requests CERT/CC advisory ("cross-site
scripting bug") may allow a malicious user to run commands remotely on the
web server where the reports are stored.


Vulnerable systems:
Webalizer version 2.01-06

The list below summarizes the flaws that may be exploited by a malicious
user to inject HTML tags into webalizer reports. Once injected, the
malicious data will be processed as soon as a victim user visits the
compromised report.

Tags in host names
The webalizer program blindly trusts the data returned by the operating
system resolver library, when doing reverse address resolution. A
malicious user who has control over a DNS reverse address-mapping zone can
setup an address with PTR record pointing to a name containing HTML tags,
and then access the web server where webalizer is run periodically. When
the webalizer program is run on the log files, the address recorded on
them will resolve to a name containing the HTML tags, which will be
inserted unmodified into the generated HTML reports.

Notice that the number of systems made vulnerable by this flaw may be
small, as most modern resolver libraries refuse to return host names
containing HTML meta-characters.

Tags in search keywords
The webalizer program has the ability of parsing the contents of HTTP
referrer information stored in log files. The data collected is them
compared to a list of search engine URLs, so that the program can present
the words used to reach the analyzed site. Unfortunately, extracted
keywords are stored unmodified in the generated HTML files - this allow a
malicious user to introduce tags directly into the reports, by connecting
to the web server and sending a "Referrer" HTTP header containing HTML

These vulnerabilities may be exploited by a malicious user to run scripts
on the user agent (e.g. web browser) accessing the compromised HTML
reports, as described by the CERT/CC advisory mentioned above.

However, these vulnerabilities are much more dangerous because the
invalidated user input is not output dynamically, but written to files on
the web server file system instead. If these files are going to be
interpreted by some scripting engine (such as Apache SSI, PHP, etc.), a
malicious user can inject special tags that may trigger the script
interpreter. This may allow the malicious user to run commands remotely on
the web server.

 * Malicious users may run client-side scripts on the web user agent
accessing a webalizer report, under the security context of the viewed
 * Malicious users may run commands remotely on the server where the
webalizer reports are stored, if they are going to be parsed by scripting

Who is affected:
To be vulnerable to the "tags in host names" flaw, the following
conditions must be met:

 * DNS name resolution is enabled in webalizer (e.g. the option
--enable-dns was used when calling configure).
 * The operating system resolver library does not filter out HTML
meta-characters in returned host names.

To be vulnerable to the "tags in search keywords" flaw, the following
conditions must be met:

 * HTTP referrer information is being output to log files to be analyzed
by webalizer.
 * The webalizer program is configured to parse HTTP referrer information
looking for search engine URLs. Unfortunately, this is enabled by default
on the sample configuration file installed with the program, and the
program will silently enable it, if no configuration file is being used.

The author of webalizer were contacted and provided a fix for these
issues. A patch is available at:


The information has been provided by <mailto:masa@magnux.com> MASA.


This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com


The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.