lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20050224012804.16791.qmail@www.securityfocus.com>
Date: 24 Feb 2005 01:28:04 -0000
From: <Josh884@...mail.com>
To: bugtraq@...urityfocus.com
Subject: Multiple vulnerabilities found in CSGuestbook  by CoolSerlets.com




Audit of the script: http://www.coolservlets.com/CSGuestbook/
About this script: This is an open source GuestBook script offered by CoolServlets.com
About the audit: This audit was performed by Daxgrapol and Dopel for RACAT (a subgroup of CASOS in the cyberarmy.net community).

Note in advance: The script is dated at Feb 10, 2000, suggesting it is about 5 years old.

Exploits found: 

File name: CSGuesbook.java
Method name: public void service()
Vulnerability Description: Although there is only one user mode currently implemented,
the client could potentially send any user mode it wanted including "admin"
which currently is not authenticated.

File name: GuesbookFilter.java
Method name: public String filterBadwords()
Vulnerability Description: Only the first special character is filtered off of the return string.
This can lead to string being return with escape characters concatenated
on the user input.

Ex. "Hello\\"
(found by: Dopel).

- Buffer overflow is possible (input field length not checked).
(found by: Daxgrapol).

Some logical coding errors:
- the resulting hyperlink in the URL field (website of the signer) is something like this: 
http://localhost:8080/guestbook/www.sitename.com
(where localhost:8080/guestbook refers to my local configuration)
The error is in GuestBookEntry.java, line 59:
return "<a href=\"" + url + "\">" + url + "</a>";
must be :
return "<a href=\"http://" + url + "\">" + url + "</a>";
This because the transmission protocol is not specified.

- In the method addDatabaseEntry(req, res, db) the input fields presence are validate like this:
String entry_name = request.getParameter("name");
if (entry_name == null) entry_name = "";
Better solution is:
String entry_name = "";
entry_name = request.getParameter("name").trim();
(This in order to avoid a 'valid' entry like ' x').

- There is not a check on the maxlenght of each input field. Wherever I can put the entire 'Divine Commedy'. This check is imperative in the servlet code, suggested in the html form.

- The email address is not checked as a real one (like the web address). Not really important in a guestbook, but if I ask for them why not to check them?
(found by: Daxgrapol). 

Conclusion:
This project is actually outdated by so much that we hope no-one uses it anymore, if you still do, you should really consider updating to something more safe, and coded to more recent standards.
Still this report should show you how important proper coding is.

On behalf of RACAT and CASOS,
Anvar



Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ