[<prev] [next>] [day] [month] [year] [list]
Message-ID: <000f01c3e02e$da3d1720$02a8623e@BlueHell>
Date: Wed, 21 Jan 2004 15:57:03 +0100
From: "Donato Ferrante" <fdonato@...istici.org>
To: <bugtraq@...urityfocus.com>
Subject: Mephistoles Httpd 0.6.0final XSS
Donato Ferrante
Application: Mephistoles Httpd
http://sourceforge.net/projects/mephistoles
Version: 0.6.0final
Bug: cross site scripting
Author: Donato Ferrante
e-mail: fdonato@...istici.org
web: www.autistici.org/fdonato
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
1. Description
2. The bug
3. The code
4. The fix
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
----------------
1. Description:
----------------
Vendor's Description:
"The Mephistoles Internet Suite includes at the present a HTTP server,
a FTP server, a DNS caching server, a (experimental and yet unsusable)
NetBIOS client and a client that can (currently) fetch pages via HTTP.
All programs written in Perl and small."
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
------------
2. The bug:
------------
The program doesn't make a full check on the strings sent by the
client, in fact the input strings are not filtered and they will
appear in the returned page.
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
-------------
3. The code:
-------------
To test the vulnerability simply use strings like:
http://[host]/<A_SCRIPT>
for example:
http://[host]/<script>alert("Test")</script>
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
------------
4. The fix:
------------
The vendor was contacted and soon will be released a new version of
Mephistoles Httpd, so go on the Mephistoles' official web site:
http://sourceforge.net/projects/mephistoles
and check for a new version.
Or, if you want, you can use my following little patch, that should
fix the bug for the version 0.6.0final of Mephistoles Httpd:
--- mephistoles-httpd-0.6.0final-noarch.pl 2004-01-21 12:16:34.000000000
+0100
+++ patch.pl 2004-01-21 12:25:56.000000000 +0100
@@ -205,7 +205,7 @@
my $ic;
if (opendir(DIR,$trdr.$public)) { } else {
- serr(404,$page);
+ serr(404,"");
return;
}
@@ -389,13 +389,13 @@
$page=conv($page); # convert $page from %XX-encoding to plain ASCII
if (evilhacker($page)) { # illegal filename
- serr(403,$page);
+ serr(403,"");
return;
}
if (($cgiholes==1) && (defined $getstr)) { # minimal protection for bad
cgi-scripts!
if (evilhacker($getstr)) {
- serr(403,$page);
+ serr(403,"");
return;
}
}
@@ -411,7 +411,7 @@
$trdr="/root/public_html/";
$trp=$2;
} else {
- serr(403,$page);
+ serr(403,"");
}
} else {
$page =~ /^\/\~(.+?)\/(.*?)$/g;
@@ -449,11 +449,11 @@
if ($reqt==2) { # POST-requests
$ENV{"REQUEST_METHOD"}="POST";
if ($postreq==0) {
- serr(403,"$page");
+ serr(403,"");
} else {
if ($postreq==1) {
if (iscgi($trp)) {
- serr(403,"$page");
+ serr(403,"");
return;
}
}
@@ -495,7 +495,7 @@
$ENV{"REQUEST_METHOD"}="GET";
if (!(-e $trdr.$trp)) {
- serr(404,$page);
+ serr(404,"");
return;
}
@@ -550,7 +550,7 @@
}
close(SRC);
} else {
- serr(404,$page);
+ serr(404,"");
}
}
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Powered by blists - more mailing lists