[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <44BD5A68.2080605@moritz-naumann.com>
Date: Wed, 19 Jul 2006 00:02:16 +0200
From: security@...itz-naumann.com
To: Full Disclosure <full-disclosure@...ts.grok.org.uk>,
bugtraq@...urityfocus.com, moderators@...db.org
Cc:
Subject: WebScarab <= 20060621-0003 cross site scripting
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
SA0012
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
+++++ WebScarab Cross Site Scripting +++++
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
PUBLISHED ON
Jul 18, 2006
PUBLISHED AT
http://moritz-naumann.com/adv/0012/webscarabxss/0012.txt
http://moritz-naumann.com/adv/0012/webscarabxss/0012.txt.gpg
PUBLISHED BY
Moritz Naumann IT Consulting & Services
Hamburg, Germany
http://moritz-naumann.com/
SECURITY at MORITZ hyphon NAUMANN d0t COM
GPG key: http://moritz-naumann.com/keys/0x277F060C.asc
AFFECTED APPLICATION OR SERVICE
WebScarab
http://www.owasp.org/index.php/OWASP_WebScarab_Project
http://sourceforge.net/projects/owasp/
WebScarab is a Free Software for manual and semi-automatic
web application penetration testing. It is developed in
Java by Rogan Dawes as part of the Open Web Application
Security Project (OWASP).
AFFECTED VERSIONS
Version 20060621-0003 and below
ISSUES
WebScarab is subject to a client side script code injection
vulnerability which may allows for running cross site
scripting attacks against web clients connecting through it.
+++++ 1. Cross Site Scripting vulnerability in error
messages
By accessing the following URI using a web browser which is
prone to this issue and configured to proxy through a
vulnerable version of WebScarab, a non-persitent web script
injection can be achieved:
http://arbitrary.domain/</pre><script>alert(0);</script>
This allows for disclosure of sensitive data stored in the
security context of any arbitrary domain which the web browser
has previously accessed but WebScarab is not able to access
by the time the attack takes place (due to invalid upstream
proxy setting on WebScarab, different results of DNS queries,
limited connectivity or other reasons).
Ms Internet Explorer 6 SP2 and Konqueror 3.5.3 are known to
be prone to this issue. This problem is caused by insufficient
santitation of user supplied input before it is returned to
the client as part of an error message.
BACKGROUND
Cross Site Scripting (XSS):
Cross Site Scripting, also known as XSS or CSS, describes
the injection of malicious content into output produced
by a web application. A common attack vector is the
inclusion of arbitrary client side script code into the
applications' output. Failure to completely sanitize user
input from malicious content can cause a web application
to be vulnerable to Cross Site Scripting.
http://en.wikipedia.org/wiki/XSS
http://www.cgisecurity.net/articles/xss-faq.shtml
WORKAROUNDS
Client: Disable Javascript.
Server: None known.
SOLUTIONS
Rogan Dawes has released version 20060718-1904 today.
This version fixes this issue. The updated packages is
available at
http://sourceforge.net/project/showfiles.php?group_id=64424&package_id=61823
TIMELINE
Jul 18, 2006: Discovery, code maintainer notification
Jul 18, 2006: Code maintainer provides fix
Jul 18, 2006: Public advisory
REFERENCES
N/A
ADDITIONAL CREDIT
N/A
LICENSE
Creative Commons Attribution-ShareAlike License Germany
http://creativecommons.org/licenses/by-sa/2.0/de/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (GNU/Linux)
iD8DBQFEvVpon6GkvSd/BgwRArImAJ4wq5+KO9B8Lt/QT7gaCc+zDhAH0QCfe0pY
8lOADqs+qmKzqw0cgeb3HWU=
=32H+
-----END PGP SIGNATURE-----
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists