SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Generic)  >   Webalizer Vendors:   Barrett, Bradford L.
Webalizer Log File Analyzer Cross-Site Scripting Hole Allows Remote Users to Cause Arbitrary But Trusted Code to Be Executed By Another User When Viewing Webalizer Reports
SecurityTracker Alert ID:  1002637
SecurityTracker URL:  http://securitytracker.com/id/1002637
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Oct 25 2001
Impact:   Disclosure of authentication information, Disclosure of system information, Disclosure of user information, Execution of arbitrary code via network
Fix Available:  Yes  Vendor Confirmed:  Yes  Exploit Included:  Yes  
Version(s): 2.01-06; possibly earlier versions (which were not tested)
Description:   A cross-site scripting vulnerability was reported in The Webalizer, a web server log file analysis package. A remote user could cause scripts to be executed on another user's host in certain situations.

Two vulnerabilities were reported that may allow a remote user to cause scripts to be executed on the browser of a user viewing the HTML reports. The scripts will appear to originate from the Webalizer server. A remote user can inject HTML tags into Webalizer reports such that when another user views the compromised report, the tag will be processed.

It is reported that The Webalizer does not filter data returned by the operating system resolver library when performing a reverse address resolution. A remote user that has control over a DNS reverse address mapping zone can create an address with a PTR record pointing to a name containing HTML tags. Then, the remote user can access a web server that uses Webalizer for log file analysis. When the Webalizer program is subsequently run, the address of the web server access will resolve to a name containing the HTML tags, which will be inserted into the HTML reports without filtering. This exploit is apparently difficult to execute, as most modern resolver libraries apparently refuse to return host names containing HTML meta-characters.

It is reported that a remote user can send an HTTP "Referrer" header containing HTML meta-characters to a web server. When the Webalizer compares the referred URLs to a list of search engine URLs, the keywords used by the apparent search engine are extracted and stored without filtering in the HTML files on the server.

Impact:   A remote user can cause arbitrary scripts to be executed on the browser of a user viewing Webalizer reports. The code will appear to come from the presumably trusted Webalizer reports server. The code may access cookies and other user information.
Solution:   The vendor has issued a patch, avaliable at:

ftp://ftp.mrunix.net/pub/webalizer/sec-fix.patch

Vendor URL:  www.mrunix.net/webalizer/ (Links to External Site)
Cause:   Input validation error
Underlying OS:  BeOS, Linux (Any), Apple (Legacy "classic" Mac), UNIX (Any)

Message History:   This archive entry has one or more follow-up message(s) listed below.
(Red Hat Issues Fix for Red Hat 7.2) Webalizer Log File Analyzer Cross-Site Scripting Hole Allows Remote Users to Cause Arbitrary But Trusted Code to Be Executed By Another User When Viewing Webalizer Reports
The vendor has released a fix for Red Hat Linux 7.2
(Red Hat Issues Fix for Red Hat Powertools 7.0 and 7.1) Webalizer Log File Analyzer Cross-Site Scripting Hole Allows Remote Users to Cause Arbitrary But Trusted Code to Be Executed By Another User When Viewing Webalizer Reports
The vendor has released a fix for Red Hat Powertools 7.0 and 7.1.
(Engarde Issues Fix) Webalizer Log File Analyzer Cross-Site Scripting Hole Allows Remote Users to Cause Arbitrary But Trusted Code to Be Executed By Another User When Viewing Webalizer Reports
The vendor has released a fix.
(SuSE Issues Fix) Webalizer Log File Analyzer Cross-Site Scripting Hole Allows Remote Users to Cause Arbitrary But Trusted Code to Be Executed By Another User When Viewing Webalizer Reports
The vendor has released a fix.
(Conectiva Issues Fix) Webalizer Log File Analyzer Cross-Site Scripting Hole Allows Remote Users to Cause Arbitrary But Trusted Code to Be Executed By Another User When Viewing Webalizer Reports
The vendor has released a fix.



 Source Message Contents

Subject:  Cross-site Scripting Flaw in webalizer


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

MASA:01-01:en - Cross-site Scripting Flaw in webalizer


Overview

   The webalizer is a popular web server log file analysis tool which
   produces reports in HTML format. Some webalizer versions contains two
   flaws that may allow a malicious user to insert unquoted data into the
   generated reports. This may be used to run scripts in the security
   context of the viewed site, as explained in the [1]CA-2000-02
   Malicious HTML Tags Embedded in Client Web Requests CERT/CC advisory
   (aka "cross-site scripting bug"). Under certain conditions, these
   flaws may allow a malicious user to run commands remotely on the web
   server where the reports are stored.

Detailed Description

   The list below summarizes the flaws that may be exploited by a
   malicious user to inject HTML tags into webalizer reports. Once
   injected, the malicious data will be processed as soon as a victim
   user visit the compromised report.

   Tags in host names
          The webalizer program blindly trust the data returned by the
          operating system resolver library, when doing reverse address
          resolution. A malicious user who has control over a DNS reverse
          address mapping zone can setup an address with PTR record
          pointing to a name containing HTML tags, and then access the
          web server where webalizer is run periodically. When the
          webalizer program is run on the log files, the address recorded
          on them will resolve to a name containing the HTML tags, which
          will be inserted unmodified into the generated HTML reports.

          Notice that the number of systems made vulnerable by this flaw
          may be small, as most modern resolver libraries refuse to
          return host names containing HTML meta-characters.

   Tags in search keywords
          The webalizer program has the ability of parsing the contents
          of HTTP referrer information stored in log files. The data
          collected is them compared to a list of search engine URLs, so
          that the program can present the words used to reach the
          analyzed site. Unfortunately, extracted keywords are stored
          unmodified in the generated HTML files -- this allow a
          malicious user to introduce tags directly into the reports, by
          connecting to the web server and sending a "Referer" HTTP
          header containing HTML meta-characters.

   These vulnerabilities may be exploited by a malicious user to run
   scripts on the user agent (e.g. web browser) accessing the compromised
   HTML reports, as described by the CERT/CC advisory mentioned above.

   However, these vulnerabilities are much more dangerous because the
   unvalidated user input is not output dynamically, but written to files
   on the web server file system instead. If these files are going to be
   interpreted by some scripting engine (such as Apache SSI, PHP, etc.),
   a malicious user can inject special tags that may trigger the script
   interpreter. This may allow the malicious user to run commands
   remotely on the web server.

Impact

     * Malicious users may run client-side scripts on the web user agent
       accessing a webalizer report, under the security context of the
       viewed site.
     * Malicious users may run commands remotely on the server where the
       webalizer reports are stored, if they are going to be parsed by
       scripting engines.

Who is Affected

   These flaws was confirmed in webalizer 2.01-06. Older versions were
   not tested.

   To be vulnerable to the "tags in host names" flaw, the following
   conditions must be met:

     * DNS name resolution is enabled in webalizer (e.g. the option
       --enable-dns was used when calling configure).
     * The operating system resolver library does not filter out HTML
       meta-characters in returned host names.

   To be vulnerable to the "tags in search keywords" flaw, the following
   conditions must be met:

     * HTTP referrer information is being output to log files to be
       analyzed by webalizer.
     * The webalizer program is configured to parse HTTP referrer
       information looking for search engine URLs. Unfortunately, this is
       enabled by default on the sample configuration file installed with
       the program, and the program will silently enable it, if no
       configuration file is being used.

Solution/workarounds

   The author of webalizer were contacted and provided a fix for these
   issues. A patch is available at
   [2]ftp://ftp.mrunix.net/pub/webalizer/sec-fix.patch.

Acknowledgments

   Thanks to Bradford L. Barrett <[3]brad@mrunix.net> (the author of
   webalizer) for promptly replying and providing a fix.

Additional Information

   Janeiro/Brazil. All rights reserved. This document may be copied and
   distributed freely in electronic form, provided that you keep it
   unchanged. Parts of it may be used unchanged and in electronic form
   only without the need of explicitly author authorization, provided
   that proper credits are given in the form "MASA:01-01:en from Magnux
   Software (http://www.magnux.com/)". To copy or reprint the whole or
   any part of this document in any other non-electronic medium, contact
   <[4]masa@magnux.com>.

   The information in this document may change without notice. The
   information contained in this document is provided for EDUCATIONAL
   PURPOSE ONLY and without ANY WARRANTY. In no event shall the author be
   liable for any damages whatsoever arising out of or in connection with
   the use or spread of this information. Any use of this information is
   at the user's own risk.

   This advisory and further updates, plus other advisories issued by
   Magnux Software, can be found on the [5]MASA Advisories Page on the
   [6]Magnux Software INTL web site. Questions about Magnux Software may
   be sent to <[7]admin@magnux.com>. GPG keys are available at
   [8]http://www.magnux.com/gpg-keys.txt.

References

   1. http://www.cert.org/advisories/CA-2000-02.html
   2. ftp://ftp.mrunix.net/pub/webalizer/sec-fix.patch
   3. mailto:brad@mrunix.net
   4. mailto:masa@magnux.com
   5. http://intl.magnux.com/masa/
   6. http://intl.magnux.com/
   7. mailto:admin@magnux.com
   8. http://www.magnux.com/gpg-keys.txt

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE71ehbCd55iUBoMvYRAu5DAKCBLgbIE88hQoX8lRw64MRy8q02SwCeM2Om
+O4EkAD/ktktxJr3qyzg18I=
=YL3b
-----END PGP SIGNATURE-----

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC