[UNIX] ht://Check Cross-Site Scripting

From: support@securiteam.com
Date: 09/12/02 

From: support@securiteam.com
To: list@securiteam.com
Date: Thu, 12 Sep 2002 17:57:00 +0200 (CEST)

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -

  ht://Check Cross-Site Scripting
------------------------------------------------------------------------

SUMMARY

 <http://htcheck.sourceforge.net/> ht://Check is a link checker derived
from ht://Dig. It can retrieve information through HTTP/1.1 and store it
in a MySQL database so that after a "crawl", ht://Check can return broken
links, anchors not found, content-types, and HTTP status codes summaries.
A PHP interface lets the user to query and view the results directly via
the web. Inadequate filtering allows an attacker to cause the product to
display malicious HTML or JavaScript code.

DETAILS

ht://Check's PHP interface has got some Cross-Site Scripting problems. It
does not remove HTML tags before displaying the crawled web servers'
"Server:" headers and other information.

This hole is particularly serious if the PHP interface is used as a part
of some company's Intranet, and if some attackers control one of the
crawled web servers. In that case, the attackers may be able to perform
actions in the Intranet even if they do not have access to it. They can do
that by putting HTML tags in the "Server:" header that redirects a
legitimate Intranet user's web browser to some script in the Intranet that
does something.

Vendor status:
The vendor was contacted on the 1st of July. This problem has been fixed
in the program's CVS repository, but no new stable version has been
released yet.

ADDITIONAL INFORMATION

The information has been provided by <mailto:ulfh@update.uu.se> Ulf
Harnhammar.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.