[NT] LiteServe Directory Index Cross-Site Scripting

From: support@securiteam.com
Date: 11/10/02 

From: support@securiteam.com
To: list@securiteam.com
Date: 10 Nov 2002 11:17:48 +0200

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

Beyond Security would like to welcome Tiscali World Online
to our service provider team.
For more info on their service offering IP-Secure, please visit http://www.worldonline.co.za/services/work_ip.asp
- - - - - - - - -

  LiteServe Directory Index Cross-Site Scripting
------------------------------------------------------------------------

SUMMARY

 <http://www.cmfperception.com/> LiteServe is a powerful, full-featured
Web, email and FTP server. This server software is perfect for personal
websites or commercial sites with high traffic demands and multiple
domains. All the services that you need work together efficiently in a
single program to provide you with a feature-packed server solution that
is easy to setup, manage, and monitor. A vulnerability in the product
allows remote attackers to cause multiple cross site scripting
vulnerabilities.

DETAILS

DNS Wildcard XSS
This is similar to the Apache XSS of last month. A malicious 'Host'
header entity is created by a specially encoded hostname. When the
hostname is rejected by the DNS server, the request is routed back to the
parent:

http://%3CIMG%20SRC%3D%22%22%20ONERROR%3D%22alert%28location%2Ehref%29%22%3E.liteserve.net/dir

Directory Query String XSS
The LiteServe directory indexing system fails to strip query strings from
indexed folders, meaning that the URL returned by LiteServe is susceptible
to cross-site scripting. URL decoding is performed before return:

http://liteserve.net/dir?%3CIMG%20SRC%3D%22%22%20ONERROR%3D%22alert%28location%2Ehref%29%22%3E

These are essentially the same HTML, just different issues. There is also
a title tag that isn't filtered:

http://liteserve.net/dir?%3C%2FTITLE%3E%3CIMG%20SRC%3D%22%22%20ONERROR%3D%22alert%28location%2Ehref%29%22%3E

ADDITIONAL INFORMATION

The original advisory can be downloaded by going to:
 <http://www.techie.hopto.org/vulns/2002-37.txt>
http://www.techie.hopto.org/vulns/2002-37.txt

The information has been provided by <mailto:mattmurphy@kc.rr.com>
Matthew Murphy.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

Relevant Pages