78956 – (CVE-2004-1341) VUL-0: CVE-2004-1341: XSS in info2html

Bug 78956 (CVE-2004-1341) - VUL-0: CVE-2004-1341: XSS in info2html

Summary: VUL-0: CVE-2004-1341: XSS in info2html

Status:	RESOLVED FIXED

Alias:	CVE-2004-1341

Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents (show other bugs)
Version:	unspecified
Hardware:	Other All

Priority:	P5 - None Severity: Normal
Target Milestone:	---
Assignee:	Security Team bot
QA Contact:	Security Team bot

URL:
Whiteboard:	CVE-2004-1341: CVSS v2 Base Score: 4....
Keywords:

Depends on:
Blocks:

Clone This Bug

Reported:	2005-04-20 10:11 UTC by Sebastian Krahmer
Modified:	2021-11-03 15:00 UTC (History)
CC List:	2 users (show)

See Also:
Found By:	Other
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Sebastian Krahmer 2005-04-20 10:11:22 UTC

Just so it doestn slip thru. Did we already have this?
The changelog file doesnt look like that.

Date: Tue, 19 Apr 2005 13:54:58 +0200 (MEST)
From: win-sec-ssc@dfn-cert.de
To: win-sec-ssc@dfn-cert.de
Subject: [security@suse.de] [Debian] Schwachstelle in info2www - DSA 711-1

-----BEGIN PGP SIGNED MESSAGE-----

Liebe Kolleginnen und Kollegen,

soeben erreichte uns nachfolgende Warnung des Debian-Teams. Wir geben
diese Informationen unveraendert an Sie weiter.

Der Konverter info2www kann benutzt werden um Dokumentation im
info-Format in Webseiten zu wandeln.

CAN-2004-1341 - Schwachstelle in info2www
  Es existiert eine Cross-site Scripting Schwachstelle in info2www,
  welche einem entfernten Angreifer erlaubt Script-Code im Browser
  anderer Benutzer auszufuehren, wenn diese z.B. einer entsprechend
  manipulierten URL folgen.

Betroffen sind die folgenden Software Pakete und Plattformen:

  Paket info2www in Stable Distribution (woody) vor 1.2.2.9-20woody1
  Paket info2www in Unstable Distribution (sid) vor 1.2.2.9-23

  Stable Distribution (woody)
  Unstable Distribution (sid)

Comment 1 Dr. Werner Fink 2005-04-20 12:13:53 UTC

info2www != info2html

btw: Doe _you_ have the exploit or the patch available to
se if we're really exploitable in the info2html perl script?

Comment 2 Sebastian Krahmer 2005-04-20 12:25:53 UTC

Ah, hm. I thought it could be the same, just they name
it a bit different. If you are sure about it, then
it can be closed of corse. I have no ther info
than what I pasted there. Came via security@suse.de

Comment 3 Marcus Meissner 2005-04-21 08:33:57 UTC

http://grape.suse.de/cgi-bin/info2html?(<h1>hallo</h1>)Top 
 
This must not show hallo in H1 fontsize, but should show <h1>hallo</h1> 
verbatim. 
 
This specific problem is in DieFileNotFound(), it does not escape the filename 
correctly.

Comment 4 Marcus Meissner 2005-04-21 08:35:56 UTC

+    # Security checks to prevent at least _some_ forms of XSS attacks. 
+    # TODO: This is far from complete, more checks need to be done! 
+    $reason =~ s/</&lt;/gs; 
+    $reason =~ s/>/&gt;/gs; 
+    $reason =~ s/&/&amp;/gs; 
+    $reason =~ s/"/&quot;/gs; 
+    $reason =~ s/#//gs; 
 
 
is used in the debian diff, but since it is different code this needs to be 
done different in our package.

Comment 5 Dr. Werner Fink 2005-04-21 12:01:53 UTC

Just tried the URL in comment #3 and get

File IO Error
%3Ch1%3Ehallo%3C/h1%3E could not be opened for reading. 

do you have fixed the script?

Comment 6 Dr. Werner Fink 2005-04-21 12:11:34 UTC

Btw: _all_ arguments of the script will be filtered
by the function DeEscape.  And as you can see (the
dif) I've added a protection against an `../' or `..'
or `./' attack.

Comment 7 Marcus Meissner 2005-04-21 12:17:29 UTC

this is mozilla specific 
 
in konqueror and w3m you will see the <h1> having an effect

Comment 8 Dr. Werner Fink 2005-04-21 13:21:23 UTC

Try out

      ~werner/Export/info2html

as a replasment of /srv/www/cgi-bin/info2html

Comment 9 Dr. Werner Fink 2005-04-22 09:26:44 UTC

Btw: I do not understand why this is a security risk.
The perl script check if the file

      <h1>hello</h1>

exists and if not the subroutine DieFileNotFound()
simply prints out an error message.

Maybe is more beauty to print the argument in such
a way that the browser do not interpret the characters
but you can not use this to read or modify data
on the disk of the server.

Comment 10 Ludwig Nussel 2005-04-22 09:43:16 UTC

No you can't modify anything on the server but untrusted sites can use that to  
e.g. steal cookies from the client. Here are some explanations about XSS bugs: 
 
http://www.heise.de/security/artikel/38658 
http://www.cgisecurity.com/articles/xss-faq.txt

Comment 11 Dr. Werner Fink 2005-04-22 10:06:50 UTC

Hmm ... then an output and not an input filter is required.

Comment 12 Dr. Werner Fink 2005-04-22 11:27:51 UTC

I've add a subroutine:

sub XssEscape {
  local($Tag) = @_;
  #-- output escaping is required to protect browser
  #   against `cross site' and `cross frame scripting'

  $Tag =~ s/&/&amp;/gs;         # ampersand
  $Tag =~ s/#/&#35;/gs;
  $Tag =~ s/;/&#59;/gs;
  $Tag =~ s/[\000-\037\200-\237]/&iquest;/gs;
  $Tag =~ s/</&lt;/gs;          # less-than symbol
  $Tag =~ s/>/&gt;/gs;          # greater-than symbol
  $Tag =~ s/"/&quot;/gs;        # double quote
  $Tag =~ s/\240/&nbsp;/gs;     # non-breaking space
  $Tag =~ s/\255/&shy;/gs;      # soft hyphen
                                # the rest is interpreted
                                # as ISO 8859-1
  $Tag;
}

which is used now in DieFileNotFound _and_ ReplyNotFoundMessage

Comment 13 Dr. Werner Fink 2005-04-22 11:33:04 UTC

For which distribution do we need an update?

Comment 14 Ludwig Nussel 2005-04-22 12:34:10 UTC

For all vulnerable ones :-) 
 
> is_maintained -l -a info2html 
sles9-i386,sles9-ia64,sles9-ppc,sles9-s390,sles9-s390x,sles9-x86_64,sles9-i386,sles9-x86_64,9.0-i386,9.0-x86_64,9.1-i386,9.1-x86_64,9.2-i386,9.3-i386

Comment 15 Ludwig Nussel 2005-04-22 12:36:18 UTC

SM-Tracker-1022

Comment 16 Dr. Werner Fink 2005-04-22 12:42:44 UTC

Does this mean no sles8?

Comment 17 Ludwig Nussel 2005-04-22 12:48:56 UTC

according to is_maintained info2html was not on sles8 so no need to patch it. 
(is_maintained does not know if it had a different name back then though)

Comment 18 Dr. Werner Fink 2005-04-22 12:58:25 UTC

> is_maintained -l -a inf2htm
sles8-slec-i386,sles8-i386,sles8-i386,sles8-i386,sles8-i386,sles8-ia64,sles8-ppc,sles8-s390,sles8-s390x,sles8-x86_64,sles8-i386,8.2-i386

Comment 19 Dr. Werner Fink 2005-04-22 14:09:46 UTC

or sles8, sles9, sl8.2, sl9.0, sl9.1, sl9.2, and sl9.3

/work/src/done/PATCHINFO/inf2htm.patch.box
/work/src/done/PATCHINFO/inf2htm.patch.maintained
/work/src/done/PATCHINFO/info2html.patch.box
/work/src/done/PATCHINFO/info2html.patch.maintained

/work/src/done/*/inf2htm
/work/src/done/*/info2html

Comment 20 Ludwig Nussel 2005-04-22 15:46:22 UTC

reopen for tracking

Comment 21 Ludwig Nussel 2005-04-25 14:59:24 UTC

http://sourceforge.net/projects/info2html has a version 1.4 is that one  
affected as well? If so we should post your patch to vendor-sec.

Comment 22 Dr. Werner Fink 2005-04-25 15:04:41 UTC

They _do_ have the same problem.

Comment 23 Marcus Meissner 2005-05-30 13:18:24 UTC

is released now.

Comment 24 Thomas Biege 2009-10-13 20:12:52 UTC

CVE-2004-1341: CVSS v2 Base Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)