[UNIX] IPCop proxylog.dat Cross Site Scripting Vulnerability

From: SecuriTeam (support_at_securiteam.com)
Date: 12/01/04

  • Next message: SecuriTeam: "[UNIX] Konqueror SMB Share Shortcuts Password Disclosure"
    To: list@securiteam.com
    Date: 1 Dec 2004 17:05:05 +0200
    
    

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    The SecuriTeam alerts list - Free, Accurate, Independent.

    Get your security news from a reliable source.
    http://www.securiteam.com/mailinglist.html

    - - - - - - - - -

      IPCop proxylog.dat Cross Site Scripting Vulnerability
    ------------------------------------------------------------------------

    SUMMARY

     <http://www.ipcop.org/> IPCop "implements existing technology, secure
    programming practices and outstanding new concepts to make it the Linux
    Distribution for protecting single home computers, to large corporate
    networks from intrusions and attacks".

    A vulnerability in the way IPCop displays log files allows a remote
    attacker to initiate a cross site scripting attack against the
    administrator of IPCop that is currently viewing the product's log files.

    DETAILS

    Vulnerable Systems:
     * IPCop version 1.4.1 and prior

    The "proxylog.dat" page allows the IPCop administrators to review browsed
    websites that have been processed through Squid. By creating a specially
    crafted HTTP request, it is possible to inject script code into the
    "proxylog.dat" page. This occurs as the variables "$url" and "$part" are
    not properly sanitized before being sent to the user. When the
    administrators view the page, the script code will be executed.

    Proof of Concept:
    The following HTTP request example will cause script injection into the
    proxy log:
     GET /<script>alert('XSS_PoC')</script> HTTP/1.1
     Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg,
    application/vnd.ms-excel, application/vnd.ms-powerpoint,
    application/msword, */*
     Accept-Language: en-us
     Accept-Encoding: gzip, deflate
     User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
     Host: example.com
     Connection: Close

    Workaround:
    1) Open /home/httpd/cgi-bin/logs.cgi/proxylog.dat
    2) Locate the following text: unless (length($part) < 60) { $part =
    "${part}..."; }
    3) Insert the following five lines below:
    #Filter out < and >
    $url =~s/</</g;
    $part =~s/</</g;
    $url =~s/>/>/g;
    $part =~s/>/>/g;

    ADDITIONAL INFORMATION

    The information has been provided by <mailto:advisories@kurczaba.com>
    Kurczaba Associates advisories.
    The original article can be found at:
    <http://www.kurczaba.com/html/security/0411291.htm>
    http://www.kurczaba.com/html/security/0411291.htm

    ========================================

    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

    ====================
    ====================

    DISCLAIMER:
    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.


  • Next message: SecuriTeam: "[UNIX] Konqueror SMB Share Shortcuts Password Disclosure"