Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Web :: Guestbooks :: hack0716.htm

Jason Maloney's Guestbook XSS Vulnerability.



Jason Maloney's Guestbook XSS Vulnerability.

~*~*~*~*~*~*~
Introduction
~*~*~*~*~*~*~

Jason Maloney's Guestbook is a simple CGI script which
is both an easy to use and easy to setup guestbook
script.  The script fails to carefully sanitize user
input, such as certain dangerous metacharacters,
resulting in an XSS vulnerability.


~*~*~*~*~*~*~
The Bug
~*~*~*~*~*~*~

During the user-input parsing routine, below, the
guestbook script performs poor user-input
sanitization, resulting in an XSS vulnerability.  Here
is the vulnerable code:


############### START HERE ###############

read(STDIN, $buffer, $ENV{'CONTENT_LENGTH'});
@pairs = split(/&/, $buffer);
foreach $pair (@pairs) {
   ($name, $value) = split(/=/, $pair);
   $value =~ tr/+/ /;
   $value =~ s/%([a-fA-F0-9][a-fA-F0-9])/pack("C",
hex($1))/eg;
   $value =~ s///g;

   if ($allow != 1) {
      $value =~ s/<([^>]|\n)*>//g;
   }

   $FORM{$name} = $value;
}

################ END HERE ################

The code fails to properly check for and eliminate
some dangerous metacharacters such as '<' and '>' in
some places, thus resulting in the potential to embed
pieces of javascript and other malicious code into
form fields.


~*~*~*~*~*~*~
Impact
~*~*~*~*~*~*~

Allows malicious users to execute script as other
users.


~*~*~*~*~*~*~
The Exploit
~*~*~*~*~*~*~

During the input of information into the fields in the
guestbook message posting form, an attacker can simply
insert malicious javascript code into a text field,
such as the 'name' field.

Simple insert

''

into the 'name' field and post a message to test the
vulnerability out.  An alert window will appear with
containing the string "Vulnerable".  When a user
visits the guestbook page, the popup will appear
again, thus the potential for code execution is
existant.  An attacker can easily insert more
malicious javascript depending on her intentions.


~*~*~*~*~*~*~
The Fix
~*~*~*~*~*~*~

The vulnerability can be fixed by applying the
following simple diff patch via the command 'patch
guest.cgi guest.patch'.

(I'm sorry for the size of it - I'm new to diff and
couldn't figure out how to decrease the size.  Anybody
with the answer, please kindly email me :-))


############### START HERE ###############

--- guest.cgi	2003-12-03 16:07:15.000000000 +0000
+++ guest1.cgi	2003-12-05 17:05:31.000000000 +0000
@@ -1,280 +1,282 @@
-#!/usr/local/bin/perl
-#######################################################
    
-# Program - Guestbook  -  version 3.0                
#
-# Updated April 16, 1998                             
#
-#                                                    
#
-# This is a Guestbook program that logs the Name,    
#
-# E-mail,  URL, City, State and a Comment.  The      
#
-# person, however, must enter their Name, E-mail,    
#
-# and a Comment.                                     
#
-#                                                    
#
-# MAKE SURE THAT YOU READ OVER THE TERMS OF AGREEMENT
#
-# BEFORE USING THIS SCRIPT.  BY USING THIS SCRIPT,   
#
-# YOU ARE AGREEING TO ABIDE BY THEM.  HOWEVER, IF YOU
#
-# DON'T AGREE WITH IT, THEN DON'T USE MY SCRIPTS.    
#
-# PLEASE READ THE 'README.TXT' FILE BEFORE
INSTALLING.#
-# KEEP IN MIND THAT JASON'S SCRIPTS & THE AESTHETIC  
#
-# SURGERY CENTER SHALL NOT BE HELD LIABLE FOR ANY    
#
-# DAMAGES THAT MAY OCCUR FROM DOWNLOADING AND/OR     
#
-# INSTALLING MY PROGRAMS. USE AT YOUR OWN RISK!      
#
-#                                                    
#
-# A Few liness came from Matt's Scripts @            
#
-# http://www.worldwidemart.com/scripts               
#
-#######################################################
-$directory_gbook =
"/usr/users/guestbook/guestbook.html";
-$guestbook =
"http://www.yourdomain.com/guestbook/guestbook.html"; 
-$cgi =
"http://www.yourdomain.com/guestbook/guest.cgi"; 
-$base = "http://www.yourdomain.com/guestbook/"; 
-$gif1 = "add.gif";
-$gif2 = "miss.gif";
-$gif3 = "thanks.gif";
-$gif4 = "blueline.gif";
-
-$mail = 1;
-$mailto = 'user@yourcompany.com'; 
-
-############################################################
-#Don't touch, these are necessary to run the script!
-$mailprog = '/usr/lib/sendmail';
-$entry = 1;
-$allow = 1;
-$date_command = "/usr/bin/date";
-############################################################
-$date = `$date_command +"%B %d, %Y"`; chop($date);
-
-read(STDIN, $buffer, $ENV{'CONTENT_LENGTH'});
-@pairs = split(/&/, $buffer);
-foreach $pair (@pairs) {
-   ($name, $value) = split(/=/, $pair);
-   $value =~ tr/+/ /;
-   $value =~ s/%([a-fA-F0-9][a-fA-F0-9])/pack("C",
hex($1))/eg;
-   $value =~ s///g;
-
-   if ($allow != 1) {
-      $value =~ s/<([^>]|\n)*>//g;
-   }
-
-   $FORM{$name} = $value;
-}
-
-########
-#Checks to see that the comments, name and e-mail
address were added!
-&no_comments unless $FORM{'comments'};
-&no_name unless $FORM{'name'};
-&no_email unless $FORM{'email'};
-
-######
-#Checks to see if the E-mail address is in the normal
form, 
-#yourname@yourcompany.com 
-
-if (&email_check($FORM{'email'})) {
-}
-else {
-&no_email;
-}
-
-#######
-#Opens 'guestbook.html' for writting 
-open (FILE,"$directory_gbook") || die "Can't Open
$directory_gbook: $!\n";
-@LINES=;
-close(FILE);
-$SIZE=@LINES;
-
-# Open Link File to Output
-open (GUEST,">$directory_gbook") || die "Can't Open
$directory_gbook: $!\n";
-
-for ($i=0;$i<=$SIZE;$i++) {
-   $_=$LINES[$i];
-   if (//) { 
-      if ($entry eq '1') {
-         print GUEST "\n";
-      }
-         print GUEST "\n";
-      if ( $FORM{'name'}) {
-         print GUEST "\n";
-         }
-      if ($FORM{'email'}) {
-         print GUEST "\n";
-      }
-      if ($FORM{'url'} ne "http://") { 
-         print GUEST "\n";
-      }
-      else {
-      }
-      if ( $FORM{'city'} ){
-         print GUEST "\n";
-      }
-      print GUEST " \n";
-      print GUEST
"
Name: $FORM{'name'} - $date
E-mail: HREF=\"mailto:$FORM{'email'}\"> $FORM{'email'}
My URL: $FORM{'url'}
Location: $FORM{'city'}"; - print GUEST ", $FORM{'state'}     $FORM{'country'}
Comments:  $FORM{'comments'}

\n"; - print GUEST "


\n\n\n"; - if ($entry eq '0') { - print GUEST "/) { + if ($entry eq '1') { + print GUEST "\n"; + } + print GUEST "\n"; + if ( $FORM{'name'}) { + print GUEST "\n"; + } + if ($FORM{'email'}) { + print GUEST "\n"; + } + if ($FORM{'url'} ne "http://") { + print GUEST "\n"; + } + else { + } + if ( $FORM{'city'} ){ + print GUEST "\n"; + } + print GUEST " \n"; + print GUEST "
Name: $FORM{'name'} - $date
E-mail: HREF=\"mailto:$FORM{'email'}\"> $FORM{'email'}
My URL: $FORM{'url'}
Location: $FORM{'city'}"; + print GUEST ", $FORM{'state'}     $FORM{'country'}
Comments:  $FORM{'comments'}

\n"; + print GUEST "


\n\n\n"; + if ($entry eq '0') { + print GUEST "


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH