Multiple vulnerabilities found in CSGuestbook by CoolSerlets.com
Josh884_at_hotmail.com
Date: 02/24/05
- Previous message: Roger A. Grimes: "RE: Incorrect Classification of iDownload's Product as Spyware..."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: 24 Feb 2005 01:28:04 -0000 To: bugtraq@securityfocus.com('binary' encoding is not supported, stored as-is)
Audit of the script: http://www.coolservlets.com/CSGuestbook/
About this script: This is an open source GuestBook script offered by CoolServlets.com
About the audit: This audit was performed by Daxgrapol and Dopel for RACAT (a subgroup of CASOS in the cyberarmy.net community).
Note in advance: The script is dated at Feb 10, 2000, suggesting it is about 5 years old.
Exploits found:
File name: CSGuesbook.java
Method name: public void service()
Vulnerability Description: Although there is only one user mode currently implemented,
the client could potentially send any user mode it wanted including "admin"
which currently is not authenticated.
File name: GuesbookFilter.java
Method name: public String filterBadwords()
Vulnerability Description: Only the first special character is filtered off of the return string.
This can lead to string being return with escape characters concatenated
on the user input.
Ex. "Hello\\"
(found by: Dopel).
- Buffer overflow is possible (input field length not checked).
(found by: Daxgrapol).
Some logical coding errors:
- the resulting hyperlink in the URL field (website of the signer) is something like this:
http://localhost:8080/guestbook/www.sitename.com
(where localhost:8080/guestbook refers to my local configuration)
The error is in GuestBookEntry.java, line 59:
return "<a href=\"" + url + "\">" + url + "</a>";
must be :
return "<a href=\"http://" + url + "\">" + url + "</a>";
This because the transmission protocol is not specified.
- In the method addDatabaseEntry(req, res, db) the input fields presence are validate like this:
String entry_name = request.getParameter("name");
if (entry_name == null) entry_name = "";
Better solution is:
String entry_name = "";
entry_name = request.getParameter("name").trim();
(This in order to avoid a 'valid' entry like ' x').
- There is not a check on the maxlenght of each input field. Wherever I can put the entire 'Divine Commedy'. This check is imperative in the servlet code, suggested in the html form.
- The email address is not checked as a real one (like the web address). Not really important in a guestbook, but if I ask for them why not to check them?
(found by: Daxgrapol).
Conclusion:
This project is actually outdated by so much that we hope no-one uses it anymore, if you still do, you should really consider updating to something more safe, and coded to more recent standards.
Still this report should show you how important proper coding is.
On behalf of RACAT and CASOS,
Anvar
- Previous message: Roger A. Grimes: "RE: Incorrect Classification of iDownload's Product as Spyware..."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
