[VulnWatch] LiteServe Directory Index Cross-Site Scripting

From: Matthew Murphy (mattmurphy@kc.rr.com)
Date: 11/08/02


From: "Matthew Murphy" <mattmurphy@kc.rr.com>
To: "VulnDiscuss" <vulndiscuss@vulnwatch.org>, "VulnWatch" <vulnwatch@vulnwatch.org>, "Vuln-Dev" <vuln-dev@securityfocus.com>, "SecurITeam News" <news@securiteam.com>, "BugTraq" <bugtraq@securityfocus.com>
Date: Thu, 7 Nov 2002 21:30:08 -0600

There are three different places in the directory index of LiteServe where
unsanitized user input is returned to the browser. The first is yet another
wildcard DNS vulnerability, the second centers around query strings.

Write-Up: http://www.techie.hopto.org/vulns/2002-37.txt

* DNS Wildcard XSS

This is similar to the Apache XSS of last month. A malicious 'Host' header
entity is created by a specially encoded hostname. When the hostname is
rejected by the DNS server, the request is routed back to the parent:

http://%3CIMG%20SRC%3D%22%22%20ONERROR%3D%22alert%28location%2Ehref%29%22%3E
.liteserve.net/dir

* Directory Query String XSS

The LiteServe directory indexing system fails to strip query strings from
indexed folders, meaning that the URL returned by LiteServe is susceptible
to cross-site scripting. URL decoding is performed before return:

http://liteserve.net/dir?%3CIMG%20SRC%3D%22%22%20ONERROR%3D%22alert%28locati
on%2Ehref%29%22%3E

These are essentially the same HTML, just different issues. There is also a
title tag that isn't filtered:

http://liteserve.net/dir?%3C%2FTITLE%3E%3CIMG%20SRC%3D%22%22%20ONERROR%3D%22
alert%28location%2Ehref%29%22%3E



Relevant Pages

  • LiteServe Directory Index Cross-Site Scripting
    ... wildcard DNS vulnerability, the second centers around query strings. ... This is similar to the Apache XSS of last month. ... The LiteServe directory indexing system fails to strip query strings from ...
    (Bugtraq)
  • [Full-Disclosure] LiteServe Directory Index Cross-Site Scripting
    ... wildcard DNS vulnerability, the second centers around query strings. ... This is similar to the Apache XSS of last month. ... The LiteServe directory indexing system fails to strip query strings from ...
    (Full-Disclosure)