(Vendor Issues Fix) Re: Lycos HTML Gear 'Guest Gear' Web Site Guestbook Input Validation Flaw Lets Remote Users Conduct Cross-Site Scripting Attacks Against Guest Gear Users
SecurityTracker Alert ID: 1005304|
SecurityTracker URL: http://securitytracker.com/id/1005304
(Links to External Site)
Date: Sep 27 2002
Disclosure of authentication information, Disclosure of user information, Execution of arbitrary code via network, Modification of user information|
Fix Available: Yes Vendor Confirmed: Yes |
An input validation vulnerability was reported in the Lycos HTML Gear 'Guest Gear' guestbook service. A remote user can conduct cross-site scripting attacks against users of web sites that implement the Guest Gear service.|
It is reported that a remote user can supply an e-mail address or web page URL to the Guest Gear function so that when a target user views the guestbook entry, arbitrary scripting code will be executed by the target user's browser. The code will originate from the site using Guest Gear and will run in the security context of that site. As a result, the code will be able to access the target user's cookies (including authentication cookies), if any, associated with the site, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.
A demonstration exploit is provided:
A remote user can access the target user's cookies (including authentication cookies), if any, associated with a site using Guest Gear, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.|
The vendor reports that effective in the 9/25/02 release of HTMLGear, the vulnerability has been fixed. Also, all new guestbooks now default to the "simple tags" security level.|
Vendor URL: htmlgear.lycos.com/specs/pro/guest.html (Links to External Site)
Input validation error|
This archive entry is a follow-up to the message listed below.|
Source Message Contents
Subject: [VulnWatch] BugTraq ID: 5728|
-----BEGIN PGP SIGNED MESSAGE-----
Due to a bug in the content filtering engine of HTMLGear's "GuestGear"
application, it was possible for a malicious user to inject arbitrary
Internet Explorer were affected, however Netscape/Mozilla browsers were not.)
This bug existed under all guestbook security settings.
Effective in the 9/25/02 release of HTMLGear, this security vulnerability has
been fixed. Additionally, all new guestbooks will now default to the "simple
tags" security level. (Previously, the default was to use the less secure mode
Terra Lycos, Inc.
Information Security Manager, US
This message is intended exclusively for its addressee and may contain
information that is CONFIDENTIAL and should not be forwarded to others without
written consent from the sender. If this message has been received in error,
please immediately notify me via e-mail and delete it. Please note that
Internet e-mail does not guarantee the confidentiality or the proper receipt of
the messages sent. If the addressee of this message does not consent to the
use of Internet e-mail, please communicate it to me immediately.
-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 6.5.3 for non-commercial use <http://www.pgp.com>
-----END PGP SIGNATURE-----