lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <463BB569.2080107@dawes.za.net>
Date: Sat, 05 May 2007 00:36:25 +0200
From: Rogan Dawes <discard@...es.za.net>
To: security@...itz-naumann.com,
	Full Disclosure <full-disclosure@...ts.grok.org.uk>,
	bugtraq@...urityfocus.com, moderators@...db.org
Subject: Re: WebScarab <= 20060621-0003 cross site scripting

security@...itz-naumann.com wrote (a LONG time ago):
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> 
> 
> SA0012
> 
> +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
> +++++          WebScarab Cross Site Scripting           +++++
> +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
> 
> 
> PUBLISHED ON
>   Jul 18, 2006
> 
> 
> PUBLISHED AT
>   http://moritz-naumann.com/adv/0012/webscarabxss/0012.txt
>   http://moritz-naumann.com/adv/0012/webscarabxss/0012.txt.gpg
> 
> 
> PUBLISHED BY
>   Moritz Naumann IT Consulting & Services
>   Hamburg, Germany
>   http://moritz-naumann.com/
> 
>   SECURITY at MORITZ hyphon NAUMANN d0t COM
>   GPG key: http://moritz-naumann.com/keys/0x277F060C.asc
> 
> 
> AFFECTED APPLICATION OR SERVICE
>   WebScarab
>   http://www.owasp.org/index.php/OWASP_WebScarab_Project
>   http://sourceforge.net/projects/owasp/
> 
>   WebScarab is a Free Software for manual and semi-automatic
>   web application penetration testing. It is developed in
>   Java by Rogan Dawes as part of the Open Web Application
>   Security Project (OWASP).
> 
> 
> AFFECTED VERSIONS
>   Version 20060621-0003 and below
> 
> 
> ISSUES
>   WebScarab is subject to a client side script code injection
>   vulnerability which may allows for running cross site
>   scripting attacks against web clients connecting through it.
> 
>   +++++ 1. Cross Site Scripting vulnerability in error
>            messages
> 
>   By accessing the following URI using a web browser which is
>   prone to this issue and configured to proxy through a
>   vulnerable version of WebScarab, a non-persitent web script
>   injection can be achieved:
> 
>   http://arbitrary.domain/</pre><script>alert(0);</script>
> 
>   This allows for disclosure of sensitive data stored in the
>   security context of any arbitrary domain which the web browser
>   has previously accessed but WebScarab is not able to access
>   by the time the attack takes place (due to invalid upstream
>   proxy setting on WebScarab, different results of DNS queries,
>   limited connectivity or other reasons).
> 
>   Ms Internet Explorer 6 SP2 and Konqueror 3.5.3 are known to
>   be prone to this issue. This problem is caused by insufficient
>   santitation of user supplied input before it is returned to
>   the client as part of an error message.
> 
> 
> BACKGROUND
>   Cross Site Scripting (XSS):
>   Cross Site Scripting, also known as XSS or CSS, describes
>   the injection of malicious content into output produced
>   by a web application. A common attack vector is the
>   inclusion of arbitrary client side script code into the
>   applications' output. Failure to completely sanitize user
>   input from malicious content can cause a web application
>   to be vulnerable to Cross Site Scripting.
> 
>   http://en.wikipedia.org/wiki/XSS
>   http://www.cgisecurity.net/articles/xss-faq.shtml
> 
> 
> WORKAROUNDS
>   Client: Disable Javascript.
>   Server: None known.
> 
> 
> SOLUTIONS
>   Rogan Dawes has released version 20060718-1904 today.
>   This version fixes this issue. The updated packages is
>   available at
> 
> http://sourceforge.net/project/showfiles.php?group_id=64424&package_id=61823
> 
> 
> TIMELINE
>   Jul 18, 2006: Discovery, code maintainer notification
>   Jul 18, 2006: Code maintainer provides fix
>   Jul 18, 2006: Public advisory
> 
> 
> REFERENCES
>   N/A
> 
> 
> ADDITIONAL CREDIT
>   N/A
> 
> 
> LICENSE
>   Creative Commons Attribution-ShareAlike License Germany
>   http://creativecommons.org/licenses/by-sa/2.0/de/

Due to a complete lack of actual testing, the abovementioned "fix" for 
this problem didn't actually do anything. Thanks to Nathaniel Roberts 
for pointing this out, even almost a year later.

A new release of WebScarab has been published that does actually fix 
this. It can be obtained from 
<https://sourceforge.net/project/showfiles.php?group_id=64424&package_id=61823>

The full changelog since the previous version is available at 
<https://sourceforge.net/project/shownotes.php?release_id=506001&group_id=64424>

Regards,

Rogan Dawes

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ