SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Generic)  >   CGI.pm Vendors:   Stein, Lincoln D.
(An Unofficial Fix is Available) Re: CGI.pm Library Input Validation Flaw Permits Remote Cross-Site Scripting Attacks
SecurityTracker Alert ID:  1007239
SecurityTracker URL:  http://securitytracker.com/id/1007239
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Jul 22 2003
Impact:   Disclosure of authentication information, Disclosure of user information, Execution of arbitrary code via network, Modification of user information
Fix Available:  Yes  

Description:   An input validation vulnerability was reported in the 'CGI.pm' library. A remote user can conduct cross-site scripting attacks against an application based on the library, depending on how the library is used.

Scripts that use the start_form() function may be affected by this flaw. The function reportedly does not properly filter user-supplied input when creating web forms. A remote user can create a specially crafted URL that, when loaded by a target user, will cause arbitrary scripting code to be executed by the target user's browser. The code will originate from the site running the vulnerable software and will run in the security context of that site. As a result, the code will be able to access the target user's cookies (including authentication cookies), if any, associated with the site, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.

A demonstration exploit URL is provided:

http://host/script.pl?">some%20text<!--%20

Whether or not an application that uses the library is affected or not depends on how the library is used.

The vendor was reportedly notified on April 30, 2003.

Eye on Security reported this vulnerability.

Impact:   A remote user can access the target user's cookies (including authentication cookies), if any, associated with the site running an application based on the library, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.
Solution:   An unofficial patch ("CGI.pm-2.93-erwann_corvellec-startform-XSS-protection.patch") for CGI.pm version 2.93 is available in the Source Message.
Vendor URL:  stein.cshl.org/WWW/software/CGI/ (Links to External Site)
Cause:   Input validation error
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)

Message History:   This archive entry is a follow-up to the message listed below.
Jul 21 2003 CGI.pm Library Input Validation Flaw Permits Remote Cross-Site Scripting Attacks



 Source Message Contents

Subject:  Re: CGI.pm vulnerable to Cross-site Scripting


--------------040603050409050506020805
Content-Type: text/plain; charset=ISO-8859-15; format=flowed
Content-Transfer-Encoding: 8bit


Please find attached a more thorough patch against version 2.93 of CGI.pm

Lincoln, could you include it in an urgent security release please ?



> Advisory Title: CGI.pm vulnerable to Cross-site Scripting. 
> Release Date: July 19 2003
> 
> Application: CGI.pm - which is by default included in many common Perl
> distributions. 
> 
> 
> Platform: Most platforms. Tested on Apache and IIS. 
> 
> Version: CGI.pm 
> 
> Severity: Effects scripts which make use of start_form()
> 
> Author: 
> Obscure^ 
> [ obscure@eyeonsecurity.org ]
> 
> Vendor Status: 
> first informed on 30th April 2003
> Although the author told EoS that he will be releasing a fix within a
> week from his last correspondence (May15), no fix is out yet on his
> website.
> 
> 
> Web: 
> 
> http://stein.cshl.org/WWW/software/CGI/
> http://eyeonsecurity.org/advisories/
> 
> 
> Background.
> 
> (extracted from 
> http://stein.cshl.org/WWW/software/CGI/)
> 
> This perl 5 library uses objects to create Web fill-out forms on the fly
> and to parse their contents. It provides a simple interface for parsing
> and interpreting query strings passed to CGI scripts. However, it also
> offers a rich set of functions for creating fill-out forms. Instead of
> remembering the syntax for HTML form elements, you just make a series of
> perl function calls. An important fringe benefit of this is that the
> value of the previous query is used to initialize the form, so that the
> state of the form is preserved from invocation to invocation. .
> 
> 
> Problem
> 
> CGI.pm has the ability to create forms by making use of the start_form()
> function. The developer/perl scripter can also makes use of
> start_multipart_form() which relies on start_form() and is therefore
> vulnerable to the same issue. When the action for the form is not
> specified, it is given the value of $self->url(-absolute=>1,-path=>1) -
> which means that when the url is something like the following :
> 
> http://host/script.pl?">some%20text<!--%20
> 
> .. the form becomes <form action="http://host/script.pl">some text<!-- "
> 
> 
> In such case, it is possible to exploit this issue to launch a Cross
> Site Scripting attack.  
> 
> Exploit Examples.
> 
> --
> #!/usr/bin/perl
> # example of exploitable script
> #
> 
> use CGI;
> 
> $q = new CGI;
> print $q->header;
> print $q->start_html('CGI.pm XSS');
> print $q->start_form();
> print $q->end_form();
> print $q->end_html;
> 
> --
> 
> Fix.
> 
> I fixed my CGI.pm by adding the following code at line 1537
> 
> $action =~ s/\"/\%22/g; 
> 
> 
> Disclaimer.
> 
> The information within this document may change without notice. Use of
> this information constitutes acceptance for use in an AS IS
> condition. There are NO warranties with regard to this information.
> In no event shall the author be liable for any consequences whatsoever
> arising out of or in connection with the use or spread of this
> information. Any use of this information lays within the user's
> responsibility.
> 
> 
> Feedback.
> 
> Please send suggestions, updates, and comments to:
> 
> Eye on Security
> mail : obscure@eyeonsecurity.org
> web : http://www.eyeonsecurity.org

--------------040603050409050506020805
Content-Type: text/plain;
 name="CGI.pm-2.93-erwann_corvellec-startform-XSS-protection.patch"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline;
 filename="CGI.pm-2.93-erwann_corvellec-startform-XSS-protection.patch"

--- CGI.pm.orig	2003-04-28 15:35:56.000000000 +0200
+++ CGI.pm	2003-07-21 20:32:45.000000000 +0200
@@ -1629,7 +1629,7 @@
     unless (defined $action) {
        $action = $self->url(-absolute=>1,-path=>1);
        if (length($ENV{QUERY_STRING})>0) {
-           $action .= "?$ENV{QUERY_STRING}";
+           $action .= '?' . $self->escapeHTML($ENV{QUERY_STRING},1);
        }
     }
     $action = qq(action="$action");

--------------040603050409050506020805--

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC