7357238 2001-10-24 11:18 -0200  /157 rader/ MASA <masa@magnux.com>
Sänt av: joel@lysator.liu.se
Importerad: 2001-10-24  20:08  av Brevbäraren
Extern mottagare: BUGTRAQ Mailing List <bugtraq@securityfocus.com>
Mottagare: Bugtraq (import) <19580>
Ärende: Cross-site Scripting Flaw in webalizer
------------------------------------------------------------
From: MASA <masa@magnux.com>
To: BUGTRAQ Mailing List <bugtraq@securityfocus.com>
Message-ID: <Pine.LNX.4.33.0110241117190.29196-100000@ops.magnux.com>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

MASA:01-01:en - Cross-site Scripting Flaw in webalizer


Overview

   The webalizer is a popular web server log file analysis tool which
   produces reports in HTML format. Some webalizer versions contains
   two flaws that may allow a malicious user to insert unquoted data
   into the generated reports. This may be used to run scripts in the
   security context of the viewed site, as explained in the
   [1]CA-2000-02 Malicious HTML Tags Embedded in Client Web Requests
   CERT/CC advisory (aka "cross-site scripting bug"). Under certain
   conditions, these flaws may allow a malicious user to run commands
   remotely on the web server where the reports are stored.

Detailed Description

   The list below summarizes the flaws that may be exploited by a
   malicious user to inject HTML tags into webalizer reports. Once
   injected, the malicious data will be processed as soon as a victim
   user visit the compromised report.

   Tags in host names
          The webalizer program blindly trust the data returned by the
          operating system resolver library, when doing reverse address
          resolution. A malicious user who has control over a DNS reverse
          address mapping zone can setup an address with PTR record
          pointing to a name containing HTML tags, and then access the
          web server where webalizer is run periodically. When the
          webalizer program is run on the log files, the address recorded
          on them will resolve to a name containing the HTML tags, which
          will be inserted unmodified into the generated HTML reports.

          Notice that the number of systems made vulnerable by this
          flaw may be small, as most modern resolver libraries refuse
          to return host names containing HTML meta-characters.

   Tags in search keywords
          The webalizer program has the ability of parsing the contents
          of HTTP referrer information stored in log files. The data
          collected is them compared to a list of search engine URLs, so
          that the program can present the words used to reach the
          analyzed site. Unfortunately, extracted keywords are stored
          unmodified in the generated HTML files -- this allow a
          malicious user to introduce tags directly into the reports, by
          connecting to the web server and sending a "Referer" HTTP
          header containing HTML meta-characters.

   These vulnerabilities may be exploited by a malicious user to run
   scripts on the user agent (e.g. web browser) accessing the
   compromised HTML reports, as described by the CERT/CC advisory
   mentioned above.

   However, these vulnerabilities are much more dangerous because the
   unvalidated user input is not output dynamically, but written to
   files on the web server file system instead. If these files are
   going to be interpreted by some scripting engine (such as Apache
   SSI, PHP, etc.), a malicious user can inject special tags that may
   trigger the script interpreter. This may allow the malicious user
   to run commands remotely on the web server.

Impact

     * Malicious users may run client-side scripts on the web user agent
       accessing a webalizer report, under the security context of the
       viewed site.
     * Malicious users may run commands remotely on the server where the
       webalizer reports are stored, if they are going to be parsed by
       scripting engines.

Who is Affected

   These flaws was confirmed in webalizer 2.01-06. Older versions were
   not tested.

   To be vulnerable to the "tags in host names" flaw, the following
   conditions must be met:

     * DNS name resolution is enabled in webalizer (e.g. the option
       --enable-dns was used when calling configure).
     * The operating system resolver library does not filter out HTML
       meta-characters in returned host names.

   To be vulnerable to the "tags in search keywords" flaw, the
   following conditions must be met:

     * HTTP referrer information is being output to log files to be
       analyzed by webalizer.
     * The webalizer program is configured to parse HTTP referrer
       information looking for search engine URLs. Unfortunately, this is
       enabled by default on the sample configuration file installed with
       the program, and the program will silently enable it, if no
       configuration file is being used.

Solution/workarounds

   The author of webalizer were contacted and provided a fix for these
   issues. A patch is available at
   [2]ftp://ftp.mrunix.net/pub/webalizer/sec-fix.patch.

Acknowledgments

   Thanks to Bradford L. Barrett <[3]brad@mrunix.net> (the author of
   webalizer) for promptly replying and providing a fix.

Additional Information

   MASA:01-01:en Copyright © 2001 by Magnux Software, Rio de
   Janeiro/Brazil. All rights reserved. This document may be copied and
   distributed freely in electronic form, provided that you keep it
   unchanged. Parts of it may be used unchanged and in electronic form
   only without the need of explicitly author authorization, provided
   that proper credits are given in the form "MASA:01-01:en from Magnux
   Software (http://www.magnux.com/)". To copy or reprint the whole or
   any part of this document in any other non-electronic medium, contact
   <[4]masa@magnux.com>.

   The information in this document may change without notice. The
   information contained in this document is provided for EDUCATIONAL
   PURPOSE ONLY and without ANY WARRANTY. In no event shall the
   author be liable for any damages whatsoever arising out of or in
   connection with the use or spread of this information. Any use of
   this information is at the user's own risk.

   This advisory and further updates, plus other advisories issued by
   Magnux Software, can be found on the [5]MASA Advisories Page on
   the [6]Magnux Software INTL web site. Questions about Magnux
   Software may be sent to <[7]admin@magnux.com>. GPG keys are
   available at [8]http://www.magnux.com/gpg-keys.txt.

References

   1. http://www.cert.org/advisories/CA-2000-02.html
   2. ftp://ftp.mrunix.net/pub/webalizer/sec-fix.patch
   3. mailto:brad@mrunix.net
   4. mailto:masa@magnux.com
   5. http://intl.magnux.com/masa/
   6. http://intl.magnux.com/
   7. mailto:admin@magnux.com
   8. http://www.magnux.com/gpg-keys.txt

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE71ehbCd55iUBoMvYRAu5DAKCBLgbIE88hQoX8lRw64MRy8q02SwCeM2Om
+O4EkAD/ktktxJr3qyzg18I=
=YL3b
-----END PGP SIGNATURE-----
(7357238) /MASA <masa@magnux.com>/--------(Ombruten)