lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <Pine.LNX.4.21.0209121057210.13446-100000@Tempo.Update.UU.SE>
From: ulfh at update.uu.se (Ulf Harnhammar)
Subject: ht://Check XSS

ht://Check XSS


PROGRAM: ht://Check
VENDOR: Gabriele Bartolini <angusgb@...rs.sourceforge.net> et al.
HOMEPAGE: http://htcheck.sourceforge.net/
VULNERABLE VERSIONS: 1.1, possibly others
IMMUNE VERSIONS: latest CVS
SEVERITY: medium


DESCRIPTION:

"ht://Check is a link checker derived from ht://Dig. It can retrieve
information through HTTP/1.1 and store it in a MySQL database so
that after a "crawl", ht://Check can return broken links, anchors
not found, content-types, and HTTP status codes summaries. A PHP
interface lets the user to query and view the results directly via
the web."

(direct quote from the program's project page at Freshmeat)

ht://Check is written in C++ and PHP, and it is published under
the terms of the GNU General Public License.


SUMMARY:

ht://Check's PHP interface has got some Cross-Site Scripting
problems. It doesn't remove HTML tags before displaying the crawled
web servers' "Server:" headers and other information.

This hole is particularly serious if the PHP interface is used as
a part of some company's Intranet, and if some attackers control
one of the crawled web servers. In that case, the attackers may
be able to perform actions in the Intranet even if they don't have
access to it. They can do that by putting HTML tags in the "Server:"
header that redirects a legitimate Intranet user's web browser to
some script in the Intranet that does something.


COMMUNICATION WITH VENDOR:

The vendor was contacted on the 1st of July. This problem has been
fixed in the program's CVS repository, but no new stable version
has been released yet.


// Ulf Harnhammar
ulfh@...ate.uu.se
http://www.metaur.nu/


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ