Bug 63957 (CVE-2004-1061)

Summary: VUL-0: CVE-2004-1061: htdig: potential new htDig Xss vulnerability
Product: [Novell Products] SUSE Security Incidents Reporter: Marcus Meissner <meissner>
Component: IncidentsAssignee: Marcus Meissner <meissner>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: fs, ke, security-team
Version: unspecified   
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: CVE-2004-1061: CVSS v2 Base Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Marcus Meissner 2004-12-06 23:21:29 UTC 
From: mikx <mikx@mikx.de> 
To: security@suse.de, webmaster@suse.de 
Date: Fri, 3 Dec 2004 15:46:24 +0100 
Cc: 
Subject: [security@suse.de] Cross-Site Scripting Vulnerability on suse.de 
Reply-To: mikx <mikx@mikx.de> 
Errors-To: security-bounces+meissner=suse.de@suse.de 
 
Hello, 
 
this is a security vulnerability report. Please confirm receipt of this 
mail. 
 
__Vulnerability Summary 
 
suse.de suffers a Cross-Site Scripting (XSS) vulnerability: 
 
 
http://www.suse.de/cgi-bin/htsearch.cgi?words="><script>alert(document.cookie)</script><x%20&config=htdig_de 
 
The parameter "words" does not get encoded in the output page. 
 
This can be used to obfuscate/fake the output and/or steal cookies by 
inserting arbitrary html/javascript code. 
 
__Contact Informations 
 
Please contact me by email or IM, both: mikx@mikx.de 
 
Kind regards, 
Michael Krax aka mikx
Comment 1 Marcus Meissner 2004-12-06 23:21:29 UTC 
<!-- SBZ_reproduce  -->
see above url.
Comment 2 Marcus Meissner 2004-12-06 23:21:54 UTC 
it is unclear whether this is a problem of htdig and/or of the templates used. 
 
I guess htdig itself.
Comment 3 Marcus Meissner 2004-12-06 23:22:21 UTC 
CAN-2004-1059 mnogosearch (as used at www.redhat.com)                            
CAN-2004-1061 htdig (as used at www.suse.de)        <<<<< this one                              
CAN-2004-1062 viewcvs (as used at cvs.apache.org)
Comment 4 Karl Eichwalder 2004-12-07 15:02:40 UTC 
To fix the bug, I need some coding help.
Comment 5 Marcus Meissner 2004-12-07 20:47:26 UTC 
I do not know how our templates look yet, but I suspect they contain 
 
$&(WORDS) 
 
(& for url decode) 
 
We might need to change this to 
 
$%&(WORDS) 
 
(& for url decode, % for url encode)
Comment 6 Frank Sundermeyer 2004-12-08 19:03:39 UTC 
The templates just contain $(WORDS). I will change all of them to $%&(WORDS).

But this will not help when the exploit-URl is directly entered to the browsers
adress-field as in the example above - or am I wrong with this assumption?
Comment 7 Marcus Meissner 2004-12-08 19:04:38 UTC 
The magic chars %& and should : 
 
& - dequote the passed url 
% - encode it again ...  
 
can you try the exploit after the template change? it should no longer work
Comment 8 Marcus Meissner 2004-12-08 21:36:04 UTC 
hmm, 
 
it is better now. however, it is somehow doubly quoting itself. 
 
can we leave it that way for our site?
Comment 9 Frank Sundermeyer 2004-12-09 01:04:09 UTC 
Sure. Given the fact that all www.suse.* addresses will be redirected to
novell.com within the next 2 weeks, it is ok.

And yes, the exploit doesn't work anymore. Thanks Marcus!
Comment 10 Marcus Meissner 2004-12-09 01:40:18 UTC 
<!-- SBZ_reopen -->Reopened by meissner@suse.de at Wed Dec  8 18:40:18 2004
Comment 11 Marcus Meissner 2004-12-09 01:40:18 UTC 
thanks frank! 
 
I have to review the htdig examples itself and perhaps release an advisory for 
our customers... so reopen for security team to further handle
Comment 12 Marcus Meissner 2004-12-09 21:03:11 UTC 
the htdig default templates use $&(WORDS), which is I guess 
the canonical correct way. 
 
anyway, with the move to novell.com this is obsolete. 
 
No action required, but I will add a note to our weekly summary.
Comment 13 Marcus Meissner 2004-12-16 02:52:37 UTC 
on second thought. no.
Comment 14 Thomas Biege 2009-10-13 20:02:26 UTC 
CVE-2004-1061: CVSS v2 Base Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)