SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Generic)  >   VisitorBook LE Vendors:   Command-O Software
VisitorBook LE Input Validation Flaw Lets Remote Users Send E-mail Via the System
SecurityTracker Alert ID:  1008444
SecurityTracker URL:  http://securitytracker.com/id/1008444
CVE Reference:   CVE-2003-0979, CVE-2003-0980, CVE-2003-0981   (Links to External Site)
Updated:  Dec 12 2003
Original Entry Date:  Dec 11 2003
Impact:   Denial of service via network, Disclosure of authentication information, Disclosure of user information, Host/resource access via network, Modification of user information
Exploit Included:  Yes  

Description:   A vulnerability was reported in VisitorBook LE. A remote user can send e-mail via the system. A remote user can also conduct cross-site scripting attacks.

Westpoint Security reported that if the $mailuser variable is set to 1 (which is not the default setting), a remote user can exploit the guest book to send anonymous e-mail to arbitrary users [CVE: CVE-2003-0979].

The report indicates that the software does not escape line break characters. A remote user can exploit this to send arbitrary e-mail by setting the e-mail address field to the following type of values:

victim@domain1
From: spammer@domain2
Subject: $$$ hardcore XXX
...

It is also reported that a remote user can submit an entry with more line breaks than permitted by the $max_posts variable to cause the log file to be deleted and the database to become corrupted [also CVE: CVE-2003-0979].

It is also reported that the user-supplied 'do' variable is not filtered to remove HTML code before displaying the code [CVE: CVE-2003-0980]. A remote user can create a specially crafted URL that, when loaded by a target user, will cause arbitrary scripting code to be executed by the target user's browser. The code will originate from the site running the vulnerable VisitorBook software and will run in the security context of that site. As a result, the code will be able to access the target user's cookies (including authentication cookies), if any, associated with the site, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user. A demonstration exploit URL is provided:

http://fester/cgi-bin/visitorbook.pl?do=<script>alert('hello')</script>

Some additional parameters are not properly escaped, including reverse DNS lookup data [CVE: CVE-2003-0981], the report said.

The vendor was reportedly notified on November 5, 2003.

[Editor's note: This report applies to the free VisitorBook LE version. It is not clear if the same vulnerability applies to VisitorBook Pro.]

Impact:   A remote user can send anonymous e-mail via the system

A remote user can cause the database to become corrupt.

A remote user can access the target user's cookies (including authentication cookies), if any, associated with the site running the vulnerable VisitorBook software, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.

Solution:   No solution was available at the time of this entry.

The author of the report has provided the following e-mails [quoted]:

Mail relay
Disable user mails, by setting $mailuser to 0
Data deleting
Modify code to escape line break characters on all parameters
Cross site scripting
Modify code to escape <>&" characters on all parameters
Trusting reverse DNS
In Apache config set HostNameLookups to Off

Vendor URL:  www.command-o.com/visitorbook/index.html (Links to External Site)
Cause:   Input validation error
Underlying OS:  Linux (Any), UNIX (Any)

Message History:   None.


 Source Message Contents

Subject:  Visitorbook LE Multiple Vulnerabilities


Westpoint Security Advisory

Title:        VisitorBook LE Mail Relay and Cross Site Scripting
Risk Rating:  Moderate
Software:     FreeScripts VisitorBook LE
Platforms:    Most Unix
Vendor URL:   http://www.freescripts.com/
Author:       Paul Johnston <paul@westpoint.ltd.uk>
Date:         10th December 2003
Advisory ID#: wp-03-0001

Overview
========

VisitorBook is a "customizable, database-driven guestbook software ... 
used all
over the net", which fails to escape various control characters in user 
input.
This results in:

  * Mail relaying
  * Data loss
  * Cross site scripting


Details
=======

Open mail relay
---------------
If $mailuser is set to 1 (not the default) then the script can be used as a
mail relay. This arises because line breaks are not escaped in the email 
field,
so you can relay mail by setting the email address to something like:

  victim@example.com
  From: spammer@example.com
  Subject: $$$ hardcore XXX
  ...

Guestbook database deleting / DoS
---------------------------------
Another consequence of the script failing to escape line breaks is that 
anyone
can remotely delete the log - they just need to submit an entry with 
more line
breaks that the value of $max_posts.

If you do this with Windows line breaks, then the database file is so 
corrupted
afterwards that the script always gives "500 Internal Server Error".

The script also fails to escape pipe "|" characters, which it uses as a 
field
deliminator, although it's unlikely this can be exploited.

Cross site scripting
--------------------
The "do" parameter is not escaped at all, which you can exploit like:
  http://fester/cgi-bin/visitorbook.pl?do=<script>alert('hello')</script>

The user parameter is also not escaped. To exploit this you need to use 
a rogue
DNS server to poison the script with a malicious reverse DNS response. More
about this below. Note: this would be difficult to exploit in practice 
and was
not actually exploited in my tests.

Quote marks are not escaped in any parameters. You can exploit this by 
signing
an entry with a web link like this:
  http://" onmouseover="alert('hello')" crap="

Also, ampersands (&) are not escaped in any parameters, although it's 
unlikely
this can be exploited.

Trust of reverse dns
--------------------
The script uses the logic that it logs the user's reverse DNS name if
available, or IP address otherwise. The problem with this is that the 
reverse
DNS is untrusted data - someone can easily change their identity by setting
their reverse DNS to, say, "www.whitehouse.gov". This also leads to the 
cross-
site scripting attack mentioned above.


Workarounds
===========

Mail relay
  Disable user mails, by setting $mailuser to 0
Data deleting
  Modify code to escape line break characters on all parameters
Cross site scripting
  Modify code to escape <>&" characters on all parameters
Trusting reverse DNS
  In Apache config set HostNameLookups to Off


Vendor notification
===================

4 Nov 2003    Mailed all the email addresses in the source code, whois 
contacts
              for domain.
              No response.

5 Nov 2003    Raised a support ticket.
              The vendor indicated that the free version of the code had not
              been maintained for some time, but that sharing security 
related
              findings would be much appreciated.

10 Nov 2003   First detailed notification of vulnerabilities.
              No response.

21 Nov 2003   Passed draft advisory to vendor; indicated intention to 
publish
              on 10 Dec.
              No response.

9 Dec 2003    Reminded vendor of impending publication.
              No response.


This advisory is available online at:
  http://www.westpoint.ltd.uk/advisories/wp-03-0001.txt


-- 
Paul Johnston
Internet Security Specialist
Westpoint Limited
Albion Wharf, 19 Albion Street,
Manchester, M1 5LN
England
Tel: +44 (0)161 237 1028
Fax: +44 (0)161 237 1031
email: paul@westpoint.ltd.uk
web: www.westpoint.ltd.uk


 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC