lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Tue, 22 Jul 2003 12:57:19 -0400
From: Lincoln Stein <lstein@...l.edu>
To: "Erwann CORVELLEC" <Erwann.Corvellec@...e.fr>,
	<bugtraq@...urityfocus.com>, <lstein@...l.org>
Subject: Re: CGI.pm vulnerable to Cross-site Scripting


Hi,

But this was fixed long ago in version 2.94.  We're at version 2.98 now.  The 
most up-to-date copy is always in CPAN.

Lincoln

On Monday 21 July 2003 03:36 pm, Erwann CORVELLEC wrote:
> Please find attached a more thorough patch against version 2.93 of CGI.pm
>
> Lincoln, could you include it in an urgent security release please ?
>
> Le 21/07/2003 00:06, obscure a écrit :
> > Advisory Title: CGI.pm vulnerable to Cross-site Scripting.
> > Release Date: July 19 2003
> >
> > Application: CGI.pm - which is by default included in many common Perl
> > distributions.
> >
> >
> > Platform: Most platforms. Tested on Apache and IIS.
> >
> > Version: CGI.pm
> >
> > Severity: Effects scripts which make use of start_form()
> >
> > Author:
> > Obscure^
> > [ obscure@...onsecurity.org ]
> >
> > Vendor Status:
> > first informed on 30th April 2003
> > Although the author told EoS that he will be releasing a fix within a
> > week from his last correspondence (May15), no fix is out yet on his
> > website.
> >
> >
> > Web:
> >
> > http://stein.cshl.org/WWW/software/CGI/
> > http://eyeonsecurity.org/advisories/
> >
> >
> > Background.
> >
> > (extracted from
> > http://stein.cshl.org/WWW/software/CGI/)
> >
> > This perl 5 library uses objects to create Web fill-out forms on the fly
> > and to parse their contents. It provides a simple interface for parsing
> > and interpreting query strings passed to CGI scripts. However, it also
> > offers a rich set of functions for creating fill-out forms. Instead of
> > remembering the syntax for HTML form elements, you just make a series of
> > perl function calls. An important fringe benefit of this is that the
> > value of the previous query is used to initialize the form, so that the
> > state of the form is preserved from invocation to invocation. .
> >
> >
> > Problem
> >
> > CGI.pm has the ability to create forms by making use of the start_form()
> > function. The developer/perl scripter can also makes use of
> > start_multipart_form() which relies on start_form() and is therefore
> > vulnerable to the same issue. When the action for the form is not
> > specified, it is given the value of $self->url(-absolute=>1,-path=>1) -
> > which means that when the url is something like the following :
> >
> > http://host/script.pl?">some%20text<!--%20
> >
> > .. the form becomes <form action="http://host/script.pl">some text<!-- "
> >
> >
> > In such case, it is possible to exploit this issue to launch a Cross
> > Site Scripting attack.
> >
> > Exploit Examples.
> >
> > --
> > #!/usr/bin/perl
> > # example of exploitable script
> > #
> >
> > use CGI;
> >
> > $q = new CGI;
> > print $q->header;
> > print $q->start_html('CGI.pm XSS');
> > print $q->start_form();
> > print $q->end_form();
> > print $q->end_html;
> >
> > --
> >
> > Fix.
> >
> > I fixed my CGI.pm by adding the following code at line 1537
> >
> > $action =~ s/\"/\%22/g;
> >
> >
> > Disclaimer.
> >
> > The information within this document may change without notice. Use of
> > this information constitutes acceptance for use in an AS IS
> > condition. There are NO warranties with regard to this information.
> > In no event shall the author be liable for any consequences whatsoever
> > arising out of or in connection with the use or spread of this
> > information. Any use of this information lays within the user's
> > responsibility.
> >
> >
> > Feedback.
> >
> > Please send suggestions, updates, and comments to:
> >
> > Eye on Security
> > mail : obscure@...onsecurity.org
> > web : http://www.eyeonsecurity.org

-- 
========================================================================
Lincoln D. Stein                           Cold Spring Harbor Laboratory
lstein@...l.org			                  Cold Spring Harbor, NY
========================================================================

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ