[UNIX] Philip Chinery's Guestbook Cross Site Scripting Vulnerability

From: support@securiteam.com
Date: 04/23/02 

From: support@securiteam.com
To: list@securiteam.com
Date: Tue, 23 Apr 2002 21:27:15 +0200 (CEST)

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -

  Philip Chinery's Guestbook Cross Site Scripting Vulnerability
------------------------------------------------------------------------

SUMMARY

Philip Chinery's Guestbook is a simple to use and install guestbook
utility, the utility has been found to contain a vulnerability that would
allow attackers to post malicious JavaScript code into guestbook entries,
thus forcing the viewing users to execute it.

DETAILS

Vulnerable systems:
 * Philip Chinery's Guestbook 1.1

Philip Chinery's Guestbook fails to filter out incoming JavaScript/HTML.
The program contains some filtering techniques but it does not apply them
to all the user provided fields, as shown in the below code:

---code starts---

sub SaveData
{
    if($kill_html == 1) {
    $Text =~ s/<([^>]|\n)*>//g;
}
   
    if($kill_html == 2) {
    $Text =~ s/</</g;
    $Text =~ s/>/>/g;
}

    if ($kill_java) {
$Text =~ s/<!--(.|\n)*-->//g;
}
    $Text =~ s/\n/ <br>/g;
    $Text =~ tr/|/ /;
    $Text =~ s/\t/ /g;
    $Text =~ s/\cM//g;

---code ends---

As we can see, it does only filter the comment itself a user wrote. For
example the fields "Name", "EMail" or "Homepage" are not filter.

So we can build an URL like so:
http://[target]/cgi-bin/guestbook.pl?action=sign&cwrite=none&Name=alert("gotcha!");
</scr!pt>&EMail=example@example.com&Text=css%20example

(NOTE, the letter I has been replaced with !)

This would post a message that would display an alert box on the visitor's
screen when he accesses the guestbook program.

ADDITIONAL INFORMATION

The information has been provided by <mailto:markus-arndt@web.de> Markus
Arnd.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

Relevant Pages

  • Re: An unpleasant experience with T&M
    ... I had gone back to the guestbook of T&M this evening, ... For the response from the T&M this afternoon. ... they would investigate the reasons. ... T&M used a spam filter which had filtered my email. ...
    (uk.rec.gardening)
  • Philip Chinerys Guestbook 1.1 fails to filter out js/html
    ... Philip Chinery's Guestbook 1.1 ... Notified Vendor: ... This nice lil' guestbook let's the owner choose to filter out Jscript- and/or HTML-entrys.. ...
    (Bugtraq)
  • Guestbook entries question
    ... If a filter with bad words etc. isn't what you mean, ... you could put an extra field in the DB, ... Readers from the guestbook can only read messages where ... greetings knoakske ...
    (comp.lang.php)
  • [UNIX] CGI-Citys CCGuestBook Script Injection Vulnerabilities
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... a "simple guestbook program that is very easy to configure and install. ... injected script will be executed in the user's browser whenever he visits ... In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages. ...
    (Securiteam)