ht://Check XSS PROGRAM: ht://Check VENDOR: Gabriele Bartolini <angusgb@users.sourceforge.net> et al. HOMEPAGE: http://htcheck.sourceforge.net/ VULNERABLE VERSIONS: 1.1, possibly others IMMUNE VERSIONS: latest CVS SEVERITY: medium DESCRIPTION: "ht://Check is a link checker derived from ht://Dig. It can retrieve information through HTTP/1.1 and store it in a MySQL database so that after a "crawl", ht://Check can return broken links, anchors not found, content-types, and HTTP status codes summaries. A PHP interface lets the user to query and view the results directly via the web." (direct quote from the program's project page at Freshmeat) ht://Check is written in C++ and PHP, and it is published under the terms of the GNU General Public License. SUMMARY: ht://Check's PHP interface has got some Cross-Site Scripting problems. It doesn't remove HTML tags before displaying the crawled web servers' "Server:" headers and other information. This hole is particularly serious if the PHP interface is used as a part of some company's Intranet, and if some attackers control one of the crawled web servers. In that case, the attackers may be able to perform actions in the Intranet even if they don't have access to it. They can do that by putting HTML tags in the "Server:" header that redirects a legitimate Intranet user's web browser to some script in the Intranet that does something. COMMUNICATION WITH VENDOR: The vendor was contacted on the 1st of July. This problem has been fixed in the program's CVS repository, but no new stable version has been released yet. // Ulf Harnhammar ulfh@update.uu.se http://www.metaur.nu/
