LiteServe Web Server Input Validation Errors Let Remote Users Conduct Cross-Site Scripting Attacks
|
|
SecurityTracker Alert ID: 1005574 |
|
CVE Reference: GENERIC-MAP-NOMATCH
(Links to External Site)
|
Date: Nov 8 2002
|
Impact: Disclosure of authentication information, Disclosure of user information, Execution of arbitrary code via network, Modification of user information, User access via network
|
Exploit Included: Yes
|
Version(s): 2.01
|
Description: Several input validation vulnerabilities were reported in the LiteServe web daemon. A remote user can conduct cross-site scripting attacks against LiteServe users.
It is reported that code that produces HTTP directory indices does not properly filter user-supplied input. A remote user can create
query string appended to the end of a folder name and the server will reportedly use this data without filtering for HTML code.
A
remote user can create a specially crafted URL that, when loaded by a target user, will cause arbitrary scripting code to be executed
by the target user's browser. The code will originate from the site running LiteServe and will run in the security context of that
site. As a result, the code will be able to access the target user's cookies (including authentication cookies), if any, associated
with the site, access data recently submitted by the target user via web form to the site, or take actions on the site acting as
the target user.
Some demonstration exploit URLs are provided:
http://[liteserve]/dir?%3CIMG%20SRC%3D%22%22%20ONERROR%3D%22alert%28location%2Ehref%29%22%3E
http:
//[liteserve]/dir?%3C%2FTITLE%3E%3CIMG%20SRC%3D%22%22%20ONERROR%3D%22alert%28location%2Ehref%29%22%3E
The server will also take
a malicious HTTP/1.1 'Host' header and then, when the hostname is rejected by the DNS server, route the request back to the parent.
A demonstration exploit URL is provided:
http://%3CIMG%20SRC%3D%22%22%20ONERROR%3D%22alert%28location%2Ehref%29%22%3E.[liteserve]/dir
The
vendor has reportedly been notified.
|
Impact: A remote user can access the target user's cookies (including authentication cookies), if any, associated with the site running LiteServe,
access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.
|
Solution: No solution was available at the time of this entry.
|
Vendor URL: www.cmfperception.com/liteserve.html (Links to External Site)
|
Cause: Input validation error
|
Underlying OS: Windows (Any)
|
Reported By: "Matthew Murphy" <mattmurphy@kc.rr.com>
|
Message History:
None.
|
Source Message Contents
|
Date: Thu, 7 Nov 2002 21:33:32 -0600
From: "Matthew Murphy" <mattmurphy@kc.rr.com>
Subject: [Full-Disclosure] LiteServe Directory Index Cross-Site Scripting
|
There are three different places in the directory index of LiteServe where
unsanitized user input is returned to the browser. The first is yet another
wildcard DNS vulnerability, the second centers around query strings.
Write-Up: http://www.techie.hopto.org/vulns/2002-37.txt
* DNS Wildcard XSS
This is similar to the Apache XSS of last month. A malicious 'Host' header
entity is created by a specially encoded hostname. When the hostname is
rejected by the DNS server, the request is routed back to the parent:
http://%3CIMG%20SRC%3D%22%22%20ONERROR%3D%22alert%28location%2Ehref%29%22%3E
.liteserve.net/dir
* Directory Query String XSS
The LiteServe directory indexing system fails to strip query strings from
indexed folders, meaning that the URL returned by LiteServe is susceptible
to cross-site scripting. URL decoding is performed before return:
http://liteserve.net/dir?%3CIMG%20SRC%3D%22%22%20ONERROR%3D%22alert%28locati
on%2Ehref%29%22%3E
These are essentially the same HTML, just different issues. There is also a
title tag that isn't filtered:
http://liteserve.net/dir?%3C%2FTITLE%3E%3CIMG%20SRC%3D%22%22%20ONERROR%3D%22
alert%28location%2Ehref%29%22%3E
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
|
|
