[UNIX] RxGoogle CGI Cross-Site Scripting (Query Parameter)

From: SecuriTeam (support_at_securiteam.com)
Date: 02/05/04

Next message: SecuriTeam: "[TOOL] Zigstack - TCP/IP Stack Hardening for Windows"

Previous message: SecuriTeam: "[UNIX] GNU Radius Remote Denial of Service Vulnerability"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: list@securiteam.com
Date: 5 Feb 2004 19:28:43 +0200

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -

RxGoogle CGI Cross-Site Scripting (Query Parameter)
------------------------------------------------------------------------

SUMMARY

<http://www.uspharmd.com/scripts/scripts.html> RxGoogle is "a free search
engine script: Provide your website visitors with your own net search
program. This script allows your visitor to perform web search within your
site without redirecting".

There is an XSS vulnerability in the query parameter of the CGI that
allows remote attackers to insert malicious HTML and/or JavaScript into
existing web pages.

DETAILS

Vulnerable Systems:
*RxGoogle version 1.0

RxGoogle is a CGI script written in Perl. The 'query' parameter is not
being filtered for HTML metacharacters, causing an XSS vulnerability.

Exploit:
http://host.com/cgi-bin/rxgoogle.cgi?query=%3Cscript%3Ealert%28%22XSS%22%29%3C%2Fscript%3E

Solution:
Sanitize user input, in this case, the $site variable as the following
patch demonstrates:

----START
--- rxgoogle.cgi 2004-02-04 14:20:38.000000000 -0500
+++ test 2004-02-04 14:27:29.000000000 -0500
@@ -197,7 +197,13 @@
my $req = new HTTP::Request GET => "$url";
my $res = $ua->request($req);
if ($res->is_success) { $page_returned =
$res->content; } return $page_returned;}
-sub parse{my (@pairs, %in);my (@pairs, %in);my
($buffer, $pair, $name, $value);if
($ENV{'REQUEST_METHOD'} eq 'GET') {@pairs = split(/&/,
$ENV{'QUERY_STRING'});}elsif($ENV{'REQUEST_METHOD'} eq
'POST') {read(STDIN, $buffer,
$ENV{'CONTENT_LENGTH'});@pairs = split(/&/,
$buffer);}PAIR: foreach $pair (@pairs) {($name,
$value) = split(/=/, $pair);$name =~ tr/+/ /;$name =~
s/%([a-fA-F0-9][a-fA-F0-9])/pack("C",
hex($1))/eg;$value =~ tr/+/ /;$value =~
s/%([a-fA-F0-9][a-fA-F0-9])/pack("C",
hex($1))/eg;($value eq "---") and next PAIR;exists
$in{$name} ? ($in{$name} .= "$value") : ($in{$name}
= $value);}return %in;}
+
+# This parsing routine poorly sanitized user-input,
thus allowing injection
+# of metametachars, such as '< ' and '>'. I have
patched the problem now, by
+# filtering input quite well now.
+#
+# -Shaun2k2
+sub parse{$OK_CHARS='-a-zA-Z0-9_.@'; my (@pairs,
%in);my (@pairs, %in);my ($buffer, $pair, $name,
$value);if ($ENV{'REQUEST_METHOD'} eq 'GET') {@pairs =
split(/&/,
$ENV{'QUERY_STRING'});}elsif($ENV{'REQUEST_METHOD'} eq
'POST') {read(STDIN, $buffer,
$ENV{'CONTENT_LENGTH'});@pairs = split(/&/,
$buffer);}PAIR: foreach $pair (@pairs) {($name,
$value) = split(/=/, $pair);$name =~ tr/+/ /;$name =~
s/%([a-fA-F0-9][a-fA-F0-9])/pack("C",
hex($1))/eg;$name =~ s/[^$OK_CHARS]/_/go;$value =~
tr/+/ /;$value =~
s/%([a-fA-F0-9][a-fA-F0-9])/pack("C",
hex($1))/eg;$value =~ s/[^$OK_CHARS]/_/go;($value eq
"---") and next PAIR;exists $in{$name} ? ($in{$name}
= "$value") : ($in{$name} = $value);}return %in;}
sub html_navbar{my
($maxhits,$current,$numhits,$url)=0;my ($html, $nh,
$prev_hit, $next_hit, $left, $right, $first, $last,
$lower, $upper)="";$maxhits =shift; $numhits =shift;
$current =shift; $url =shift;
$nh=int($current/$maxhits)+1; $prev_hit=$nh-1;
$next_hit=$nh+1; if (($current + $maxhits) >=
$numhits) {$next_hit=0;}if ($numhits > $maxhits) {
     $left = $nh; $right = int($numhits/$maxhits) -
$nh; ($left > 7) ? ($lower = $left -
7) : ($lower = 1); ($right > 7) ? ($upper = $nh
+ 7) : ($upper = int($numhits/$maxhits) + 1);
(7 - $nh >= 0) and ($upper = $upper + (8 - $nh));
  ($nh > ($numhits/$maxhits - 7)) and ($lower = $lower
- ($nh - int($numhits/$maxhits - 7) - 1));
$html = ""; ($nh > 1) and ($html .= qq~< a
href="$url&start=$prev_hit">[previous]< /a> ~);
for ($i = 1; $i < = int($numhits/$maxhits) + 1; $i++) {
           if ($i < $lower) { $html .= " ... "; $i =
($lower-1); next; } if ($i >
$upper) { $html .= " ... "; last; } ($i ==
$nh) ? ($html .= qq~$i ~) :
   ($html .= qq~< a href="$url&start=$i">$i< /a> ~);
       (($i * $maxhits) >= $numhits) and last;
}if ($next_hit) { $html .= qq~< a
href="$url&start=$next_hit">[next]< /a> ~ unless ($nh
== $i); } }return $html;}

1;
@@ -224,4 +230,4 @@
print WRITEIT "$site\n";
close(WRITEIT);
}
-
\ No newline at end of file
+
---END

Apply the patch as below:
$ patch rxgoogle.cgi rxgoogle-xss.patch

It is also possible to use the subroutine html_encode in rxgoogle.cgi to
filter the $site variable

ADDITIONAL INFORMATION

The information has been provided by <mailto:shaunige@yahoo.co.uk> Shaun
Colley.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

Next message: SecuriTeam: "[TOOL] Zigstack - TCP/IP Stack Hardening for Windows"

Previous message: SecuriTeam: "[UNIX] GNU Radius Remote Denial of Service Vulnerability"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

[NT] Internet Explorer Compressed Content URL Heap Overflow
... The following security advisory is sent to the securiteam mailing list, and can be
found at the SecuriTeam web site: http://www.securiteam.com ... There is an heap overflow vulnerability
discovered in Internet Explorer ... Internet Explorer 6 SP1 with the MS06-042 patch applied
are vulnerable. ... (Securiteam)
[UNIX] MIT Kerberos ASN.1 Decoder DoS
... The following security advisory is sent to the securiteam mailing list, and can be
found at the SecuriTeam web site: http://www.securiteam.com ... The ASN.1 decoder library
in the MIT Kerberos 5 distribution is vulnerable ... to a denial-of-service attack causing an
infinite loop in the decoder. ... * Apply the appropriate patch referenced below,
... (Securiteam)
[NEWS] Quartz Composer / QuickTime 7 Information Leakage
... The following security advisory is sent to the securiteam mailing list, and can be
found at the SecuriTeam web site: http://www.securiteam.com ... Quartz Composer files are
created with the Quartz Composer application ... A patch providing the information is ...
The output of is connected to the URL input connection of either ... (Securiteam)
[NT] TrendMicro AntiVirus UUE Processing Vulnerability
... The following security advisory is sent to the securiteam mailing list, and can be
found at the SecuriTeam web site: http://www.securiteam.com ... TrendMicro AntiVirus UUE Processing
Vulnerability ... TrendMicro has made a patch for the vulnerability, ... (Securiteam)
[EXPL] Mailenable Enterprise Examine IMAP Command Buffer Overflow (2 Exploits)
... The following security advisory is sent to the securiteam mailing list, and can be
found at the SecuriTeam web site: http://www.securiteam.com ... Mailenable Enterprise Examine
IMAP Command Buffer Overflow ... Vendor Notified, patch released. ... # *
No space for shellcode, so 1st stage shellcode is used to ... (Securiteam)