lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Thu, 01 Nov 2007 18:37:24 +0100
From: skien <skienlab@...il.com>
To: Raymond Pete <pete@...kiosk.com>
Cc: bugtraq@...urityfocus.com
Subject: Re: Airkiosk/formlib application is XSS vuln

Raymond Pete wrote:
> Had "Skein" posted to this group (bugtraq) asking for contact
> information he would have received a response.  His posting here is
> inaccurate and speculative.

speculative? why?

> 
> DESCRIPTION:
> 
> The 3rd party module formlib.pl contained an error in handling/printing
> of unsanitized Input data, which could lead to a malicious user
> injecting code into the users displayed page via a custom generated
> link, if this subroutine was called AND the users browser does not
> encode the input string.
>

This is inaccurate.
There is another way to use your vuln (as not direct on typing it in to
the browser), the problem of encoding input can be easily overcome using
a POST method that not encode the input or a FLASH/ACTIONSCRIPT.

So re-creating a web-banner that links to your application with a new
page (document.write) .js isn't very difficult to do.

> SECURITY IMPLICATIONS:
> 
> Low.  "Skein" has written separately (not on bugtraq) that the danger
> was "for who want to steal cookies."  This speculation concerns sessions
> in which cookies are involved.   However, the AirKiosk system does not
> rely on cookies for session management.  The AirKiosk system does not
> use cookies at all, and we discourage their use generally.

.

> 
> STATUS:
> 
> formlib.pl has been patched where applicable and possible code injection
> is no longer possible.  

http://www.blu-express.com/cgi-bin/airkiosk/I7/81015lfa?K=1&K=2&HI%20%MR%20PETE

...
> 
> 
> Raymond Pete
> Operations Director, AirKiosk Systems
> Sutra, Inc.
> 

Skien. not skein.

Powered by blists - more mailing lists