StatsPlus Web Server Statistics Package Allows Remote Users to Inject Arbitrary Script Commands into the Statistics Log and Conduct Cross-site Scripting Attacks
|
|
SecurityTracker Alert ID: 1004842 |
|
CVE Reference: GENERIC-MAP-NOMATCH
(Links to External Site)
|
Date: Jul 25 2002
|
Impact: Disclosure of authentication information, Disclosure of system information, Disclosure of user information, Execution of arbitrary code via network, Modification of user information, User access via network
|
Exploit Included: Yes
|
Version(s): 1.25
|
Description: An input validation vulnerablity was reported in the StatsPlus web site log file statistics package. A remote user can conduct cross-site scripting attacks against other users.
It is reported that the 'stat.pl' script does not filter user-supplied input from web site visitors. This information is written
to the 'stat.html' page.
So, a remote user can supply a specially crafted HTTP_USER_AGENT or HTTP_REFERER field that contains
scripting code when accessing a web page that is monitored by StatsPlus. Then, when a target (victim) user visits the 'stat.html'
page to view the statistics, arbitrary scripting code will be executed by the target user's browser.
The code will originate
from the site running StatsPlusand will run in the security context of that site. As a result, the code will be able to access the
target user's cookies (including authentication cookies), if any, associated with the site, access data recently submitted by the
target user via web form to the site, or take actions on the site acting as the target user.
The vendor has reportedly been notified.
|
Impact: A remote user may be able to access a target user's cookies (including authentication cookies), if any, associated with a site running
StatsPlus, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the
target user.
|
Solution: No solution was available at the time of this entry.
|
Vendor URL: www.uninetsolutions.com/stats.html (Links to External Site)
|
Cause: Input validation error
|
Underlying OS: Linux (Any), UNIX (Any), Windows (Any)
|
Reported By: "BrainRawt ." <brainrawt@hotmail.com>
|
Message History:
None.
|
Source Message Contents
|
Date: Thu, 25 Jul 2002 00:10:23 +0000
From: "BrainRawt ." <brainrawt@hotmail.com>
Subject: Uninets StatsPlus 1.25 script injection vulnerabilities
|
Uninets StatsPlus 1.25 script injection vulnerabilities discovered
by BrainRawt (brainrawt@hotmail.com)
About StatsPlus:
-------------------
StatsPlus provides a convient way to get indepth statistics about
visitors to your site. Statistics Produced by StatsPlus are similar
to those from a server log, only they are placed neatly into an HTML
table for you to view. StatsPlus can be downloaded at
http://www.uninetsolutions.com/stats.html
It doesnt appear as if statsplus has been modified since 1998.
Vulnerable (tested) Versions:
--------------------
StatsPlus 1.25 Windows
StatsPlus 1.25 Unix
Vendor Contact:
--------------------
7-20-02 - An email was sent to support@uninetsolutions.com discussing
the issue at hand.
7-20-02 - Received an automated response stating that my email had been
accepted.
Vulnerability:
--------------------
stat.pl neglects to filter any input to the script from visitors to the
monitored webpages. The stat.pl then writes the visitors information
to an html document called stat.html. If the visitor was to modify their
HTTP_USER_AGENT or their HTTP_REFERER and add some scripting to either
one, that scripting would be executed by whomever visited the stat.html
document.
Fix:
-------
No fix has been offered by the vendor as of the writing of this advisory.
Proper filtering of input would not be hard to implement, if one doesnt
mind
rewriting parts of the code.
----------------------------------------------------------------------------------
Run this binary. Where is the source? Dont worry, its ok. HEY! WHERE DID
/ GO?
_________________________________________________________________
Send and receive Hotmail on your mobile device: http://mobile.msn.com
|
|
