Escapade Scripting Engine XSS Vulnerability and Path Disclosure





Published: 9 September 2003



Released: 9 September 2003



Affected Systems: Escapade Scripting Engine



Vendor: http://www.escapade.org , http://www.squishedmosquito.com



Issue: Remote attackers can inject XSS script and know the path of the 

site. 





Description:

============

Escapade, or ESP for short, is a server-side scripting language that 

provides an interface to back-end database contents. Specifically 

designed to create dynamic information from this data, Escapade can be 

used to generate any kind of document - HTML, XML, text, and more. 

While server-side scripting is not a new concept, ESP is a breakthrough 

product that will enable programmers to much more easily have access to 

data in databases in their web pages without having to resort to ASP or 

complicated back-end Perl or PHP scripts. 





Details:

========

It's possibile to inject XSS script in the method variable. 



Example: 



http://www.site.com/cgi-bin/esp?PAGE=<script>alert(document.domain)

</script>



It's possible to make a malformed http request for many variables in 

Escapade and in doing so trigger an error. The resulting error message 

will 

disclose potentially sensitive installation path information to the 

remote attacker. 



Example:



http://www.site.com/cgi-bin/esp?PAGE=!@#$%





Solution:

=========

The vendor has been contacted and a patch is not yet produced.





Suggestions:

============

Filter the method variable (xss problem), filter all variables. 





Discovered by / credit:

=======================

Bahaa Naamneh

b_naamneh@hotmail.com