[EMAIL PROTECTED] wrote (a LONG time ago): > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > > > SA0012 > > +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ > +++++ WebScarab Cross Site Scripting +++++ > +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ > > > PUBLISHED ON > Jul 18, 2006 > > > PUBLISHED AT > http://moritz-naumann.com/adv/0012/webscarabxss/0012.txt > http://moritz-naumann.com/adv/0012/webscarabxss/0012.txt.gpg > > > PUBLISHED BY > Moritz Naumann IT Consulting & Services > Hamburg, Germany > http://moritz-naumann.com/ > > SECURITY at MORITZ hyphon NAUMANN d0t COM > GPG key: http://moritz-naumann.com/keys/0x277F060C.asc > > > AFFECTED APPLICATION OR SERVICE > WebScarab > http://www.owasp.org/index.php/OWASP_WebScarab_Project > http://sourceforge.net/projects/owasp/ > > WebScarab is a Free Software for manual and semi-automatic > web application penetration testing. It is developed in > Java by Rogan Dawes as part of the Open Web Application > Security Project (OWASP). > > > AFFECTED VERSIONS > Version 20060621-0003 and below > > > ISSUES > WebScarab is subject to a client side script code injection > vulnerability which may allows for running cross site > scripting attacks against web clients connecting through it. > > +++++ 1. Cross Site Scripting vulnerability in error > messages > > By accessing the following URI using a web browser which is > prone to this issue and configured to proxy through a > vulnerable version of WebScarab, a non-persitent web script > injection can be achieved: > > http://arbitrary.domain/</pre><script>alert(0);</script> > > This allows for disclosure of sensitive data stored in the > security context of any arbitrary domain which the web browser > has previously accessed but WebScarab is not able to access > by the time the attack takes place (due to invalid upstream > proxy setting on WebScarab, different results of DNS queries, > limited connectivity or other reasons). > > Ms Internet Explorer 6 SP2 and Konqueror 3.5.3 are known to > be prone to this issue. This problem is caused by insufficient > santitation of user supplied input before it is returned to > the client as part of an error message. > > > BACKGROUND > Cross Site Scripting (XSS): > Cross Site Scripting, also known as XSS or CSS, describes > the injection of malicious content into output produced > by a web application. A common attack vector is the > inclusion of arbitrary client side script code into the > applications' output. Failure to completely sanitize user > input from malicious content can cause a web application > to be vulnerable to Cross Site Scripting. > > http://en.wikipedia.org/wiki/XSS > http://www.cgisecurity.net/articles/xss-faq.shtml > > > WORKAROUNDS > Client: Disable Javascript. > Server: None known. > > > SOLUTIONS > Rogan Dawes has released version 20060718-1904 today. > This version fixes this issue. The updated packages is > available at > > http://sourceforge.net/project/showfiles.php?group_id=64424&package_id=61823 > > > TIMELINE > Jul 18, 2006: Discovery, code maintainer notification > Jul 18, 2006: Code maintainer provides fix > Jul 18, 2006: Public advisory > > > REFERENCES > N/A > > > ADDITIONAL CREDIT > N/A > > > LICENSE > Creative Commons Attribution-ShareAlike License Germany > http://creativecommons.org/licenses/by-sa/2.0/de/
Due to a complete lack of actual testing, the abovementioned "fix" for this problem didn't actually do anything. Thanks to Nathaniel Roberts for pointing this out, even almost a year later. A new release of WebScarab has been published that does actually fix this. It can be obtained from <https://sourceforge.net/project/showfiles.php?group_id=64424&package_id=61823> The full changelog since the previous version is available at <https://sourceforge.net/project/shownotes.php?release_id=506001&group_id=64424> Regards, Rogan Dawes _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
