|
Bugzilla – Full Text Bug Listing |
| Summary: | VUL-0: CVE-2004-1341: XSS in info2html | ||
|---|---|---|---|
| Product: | [Novell Products] SUSE Security Incidents | Reporter: | Sebastian Krahmer <krahmer> |
| Component: | Incidents | Assignee: | Security Team bot <security-team> |
| Status: | RESOLVED FIXED | QA Contact: | Security Team bot <security-team> |
| Severity: | Normal | ||
| Priority: | P5 - None | CC: | security-team, werner |
| Version: | unspecified | ||
| Target Milestone: | --- | ||
| Hardware: | Other | ||
| OS: | All | ||
| Whiteboard: | CVE-2004-1341: CVSS v2 Base Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N) | ||
| Found By: | Other | Services Priority: | |
| Business Priority: | Blocker: | --- | |
| Marketing QA Status: | --- | IT Deployment: | --- |
|
Description
Sebastian Krahmer
2005-04-20 10:11:22 UTC
info2www != info2html btw: Doe _you_ have the exploit or the patch available to se if we're really exploitable in the info2html perl script? Ah, hm. I thought it could be the same, just they name it a bit different. If you are sure about it, then it can be closed of corse. I have no ther info than what I pasted there. Came via security@suse.de http://grape.suse.de/cgi-bin/info2html?(<h1>hallo</h1>)Top This must not show hallo in H1 fontsize, but should show <h1>hallo</h1> verbatim. This specific problem is in DieFileNotFound(), it does not escape the filename correctly. + # Security checks to prevent at least _some_ forms of XSS attacks. + # TODO: This is far from complete, more checks need to be done! + $reason =~ s/</</gs; + $reason =~ s/>/>/gs; + $reason =~ s/&/&/gs; + $reason =~ s/"/"/gs; + $reason =~ s/#//gs; is used in the debian diff, but since it is different code this needs to be done different in our package. Just tried the URL in comment #3 and get File IO Error %3Ch1%3Ehallo%3C/h1%3E could not be opened for reading. do you have fixed the script? Btw: _all_ arguments of the script will be filtered by the function DeEscape. And as you can see (the dif) I've added a protection against an `../' or `..' or `./' attack. this is mozilla specific in konqueror and w3m you will see the <h1> having an effect Try out
~werner/Export/info2html
as a replasment of /srv/www/cgi-bin/info2html
Btw: I do not understand why this is a security risk.
The perl script check if the file
<h1>hello</h1>
exists and if not the subroutine DieFileNotFound()
simply prints out an error message.
Maybe is more beauty to print the argument in such
a way that the browser do not interpret the characters
but you can not use this to read or modify data
on the disk of the server.
No you can't modify anything on the server but untrusted sites can use that to e.g. steal cookies from the client. Here are some explanations about XSS bugs: http://www.heise.de/security/artikel/38658 http://www.cgisecurity.com/articles/xss-faq.txt Hmm ... then an output and not an input filter is required. I've add a subroutine:
sub XssEscape {
local($Tag) = @_;
#-- output escaping is required to protect browser
# against `cross site' and `cross frame scripting'
$Tag =~ s/&/&/gs; # ampersand
$Tag =~ s/#/#/gs;
$Tag =~ s/;/;/gs;
$Tag =~ s/[\000-\037\200-\237]/¿/gs;
$Tag =~ s/</</gs; # less-than symbol
$Tag =~ s/>/>/gs; # greater-than symbol
$Tag =~ s/"/"/gs; # double quote
$Tag =~ s/\240/ /gs; # non-breaking space
$Tag =~ s/\255/­/gs; # soft hyphen
# the rest is interpreted
# as ISO 8859-1
$Tag;
}
which is used now in DieFileNotFound _and_ ReplyNotFoundMessage
For which distribution do we need an update? For all vulnerable ones :-)
> is_maintained -l -a info2html
sles9-i386,sles9-ia64,sles9-ppc,sles9-s390,sles9-s390x,sles9-x86_64,sles9-i386,sles9-x86_64,9.0-i386,9.0-x86_64,9.1-i386,9.1-x86_64,9.2-i386,9.3-i386
SM-Tracker-1022 Does this mean no sles8? according to is_maintained info2html was not on sles8 so no need to patch it. (is_maintained does not know if it had a different name back then though) > is_maintained -l -a inf2htm
sles8-slec-i386,sles8-i386,sles8-i386,sles8-i386,sles8-i386,sles8-ia64,sles8-ppc,sles8-s390,sles8-s390x,sles8-x86_64,sles8-i386,8.2-i386
or sles8, sles9, sl8.2, sl9.0, sl9.1, sl9.2, and sl9.3 /work/src/done/PATCHINFO/inf2htm.patch.box /work/src/done/PATCHINFO/inf2htm.patch.maintained /work/src/done/PATCHINFO/info2html.patch.box /work/src/done/PATCHINFO/info2html.patch.maintained /work/src/done/*/inf2htm /work/src/done/*/info2html reopen for tracking http://sourceforge.net/projects/info2html has a version 1.4 is that one affected as well? If so we should post your patch to vendor-sec. They _do_ have the same problem. is released now. CVE-2004-1341: CVSS v2 Base Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N) |