[UNIX] Geeklog XSS and CRLF Injection

From: support@securiteam.com
Date: 07/21/02 

From: support@securiteam.com
To: list@securiteam.com
Date: Sun, 21 Jul 2002 19:01:34 +0200 (CEST)

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -

  Geeklog XSS and CRLF Injection
------------------------------------------------------------------------

SUMMARY

 <http://geeklog.sourceforge.net/> Geeklog is a 'blog', otherwise known as
a Weblog. It allows you to create your own virtual community area,
complete with user administration, story posting, messaging, comments,
polls, calendar, web links, and more! It can run on many different
operating systems, and uses PHP4 and MySQL. A security vulnerability in
the product allows remote attackers to insert malicious HTML and
JavaScript into existing web pages and to reveal hidden email address by
inserting an extra CRLF character in email the program sends.

DETAILS

Vulnerable systems:
 * Geeklog version 1.3.5sr1

Immune systems:
 * Geeklog version 1.3.5sr2

1) Geeklog has an XSS hole that affects both the stories and the comments.
The program removes the HTML elements that are used for scripting, but it
fails to remove the HTML attributes that are used for the same purpose,
which leads to this hole.

One example of an XSS attack would be:
<b onMouseOver="self.location.href='http://localhost/geeklog/'">life has
made her that much bolder now</b>

When a victim moves the mouse pointer over the quote from "Lady Godiva's
Operation", an intrinsic event occurs and the JavaScript code is executed.

(There is also an XSS issue in the search engine, but it is minor in its
effects)

2) Geeklog has a CRLF Injection hole in User Profile: Send Email. The
users' mail addresses are meant to be secret, but by using this hole, you
can get someone's mail address anyway.

The problem is that you can add extra mail headers, by using a CRLF
combination followed by an extra mail header in the Subject field. One way
to add them is saving the HTML document with the form, and changing the <
input type=text name=subject> tag to a textarea. After opening the edited
document in a web browser, you enter a Subject line in the textarea, press
Enter, and then you enter your extra mail header. When the mail is sent,
that header will be included. If the header in question is "Bcc: < your
own mail address>", the message will silently be copied to you, thus
revealing the recipient's mail address without them knowing.

Vendor status:
The vendor was contacted on 1 July. Version 1.3.5sr2, which does not have
any of these security holes, was released on 9 July.

ADDITIONAL INFORMATION

The information has been provided by <mailto:ulfh@update.uu.se> Ulf
Harnhammar.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

Relevant Pages