SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |    Help    |   

SecurityTracker
Archives


Welcome to SecurityTracker!
 
Click to Sign Up
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com
Sign Up!





Category:  Application (Web Server/CGI)  >  Apache mod_survey Vendors:  Palmius, Joel
Apache mod_survey HTML Report Format Lets Remote Users Conduct Cross-Site Scripting Attacks
SecurityTracker Alert ID:  1009516
CVE Reference:  GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Mar 22 2004
Impact:  Disclosure of authentication information, Disclosure of user information, Execution of arbitrary code via network, Modification of user information
Fix Available:  Yes   Exploit Included:  Yes   Vendor Confirmed:  Yes  
Version(s): Stable: 3.0.16-pre1 and prior versions; Development: 3.2.0-pre3 and prior versions
Description:  An input validation vulnerability was reported in Apache mod_survey. A remote user can conduct cross-site scripting attacks against survey administrators.

It is reported that mod_survey does not fully filter HTML code from user-supplied input in the survey text field answers. A remote user can submit specially crafted text as a survey answer. Then, when the target administrator exports the data in HTML table format and views the table, arbitrary scripting code will be executed by the target user's browser. The code will originate from the site running the mod_survey software and will run in the security context of that site. As a result, the code will be able to access the target administrator's cookies (including authentication cookies), if any, associated with the site, access data recently submitted by the target administrator via web form to the site, or take actions on the site acting as the administrator user.

A similar filtering flaw is reported in the logging of malformed query strings.

The vendor credits Niklas Deutschmann with reporting this flaw.
Impact:  A remote user can access the target administrator's cookies (including authentication cookies), if any, associated with the site running the mod_survey software, access data recently submitted by the target administrator via web form to the site, or take actions on the site acting as the target administrator.
Solution:  The vendor has released a fixed version (3.0.16-pre2 stable and 3.2.0-pre4 development), available at:

http://gathering.itm.mh.se/modsurvey/download.php
Vendor URL:  gathering.itm.mh.se/modsurvey/SA20040321.txt (Links to External Site)
Cause:  Input validation error
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)
Reported By:  Joel Palmius <joel.palmius@mh.se>
Message History:   None.

 Source Message Contents
Date:  Mon, 22 Mar 2004 12:34:28 +0100 (CET)
From:  Joel Palmius <joel.palmius@mh.se>
Subject:  Mod_Survey security advisory: Script injection bug

 

This was published on the Mod_Survey mailing list a few minutes ago.


#########################################################
Mod_Survey Security Advisory 2004-03-21, Script injection
#########################################################


ABOUT MOD_SURVEY
----------------
Mod_Survey is an Apache module which displays and handles questionnaires
written in a special XML-based markup language. Mod_Survey is primarily
targeted towards Linux/Unix, but is also possible to run in Windows.


SUMMARY
-------
In all versions older than a 2004-03-21, it is possible for a remote 
evil person to submit script code (such as JavaScript) along with his
normal answers. This could, for example, be exploitable to get access
to the password cookie used by the administrator of the survey, and 
thereby read access to the submitted data.


ERROR CATEGORY
--------------
The error falls into the classes "Input Validation Error" and 
"Script Injecion". It is possible to exploit remotely.


VULNERABLE
----------
In stable (3.0.x) branch:

  All versions up to and including 3.0.16-pre1

In development (3.2.x) branch:

  All versions up to and including 3.2.0-pre3
  
Not vulnerable:

  3.0.16-pre2
  3.2.0-pre4


SOLUTION
--------
Users of the stable branch are encouraged to upgrade to 3.0.16-pre2. 
Users of the development branch are encourage to upgrade to 3.2.0-pre4
or to the current CVS version.


LONGER DISCUSSION
-----------------
Mod_Survey accepts arbitrary text-field type answers to be submitted by
a respondent. As the data backend usually does not care about what is 
actually contained in these answers, very few illegal characters have
been filtered out from being saved. This is in itself not a major 
problem.

However, when the administrator of the survey wants to download the
submitted data, he gets to choose between several different formats. One
of these is to download it as a HTML table. 

Previously, the data was pasted straigh into the HTML output without any
filtering or escaping. To illustrate the problem, let's assume that the
respondent answered that his name was:

  <script>alert('Hello there')</script>

..then the survey administrator would see an annoyingly displayed message
box every time he looked at the data through his browser.

The same approach would be valid for other export formats, such as the 
SQL export and the XML export. 

It has also been pointed out that a similar problem occurs in error 
messages about malformed query strings in Mod_Survey. The conceivable 
impact of this is limited, but the problem has been fixed as a part of 
this security update. Further, steps have been taken to add an extra 
layer of protection around the data backend. 

The problem has been addressed differently in the two major branches of
Mod_Survey. In the stable branch, illegal characters are now blocked
altogether. It will thus not be possible to submit characters like <, >,
$ and '. Since earlier other characters such as ;, " and & have been 
blocked. System administrators should be aware of this before upgrading
to the new version, as also legitimate uses of these characters are 
blocked. This could cause some irritation amongst respondents. One 
workaround if this becomes a problem is to set _SURVEY_PROTESTILLEGAL to
0, which will silently replace illegal characters with pipe signs rather
than whining at the respondent.

In the development branch, the solution has been to filter the output 
rather than the input. Thus, each data export now keeps track of which
characters to filter out or escape. Thus, for example, the HTML export
will silently replace all "<" with "&lt;".


EXPLOIT
-------
A proof of concept of the script injection problem has been written and 
published by Niklas Deutschmann on the Mod_Survey mailing list. As this
involves no complicated coding and since anyone with some insight into
JavaScript immediately will understand how to exploit the flaw, there is
no reason to republish this exploit here. Please refer to the Mod_Survey
mailing list if you are interested.


IMPACT
------
Most surveys will be vulnerable to this. Surveys that only contain 
numerical input fields will not be affected. Nor will this be a problem
in closed-sample surveys where the respondents are known and trusted. 

In surveys where the administration part has been knowingly left open 
so that respondents can view answers anyway, this will merely be a 
minor annoyance. 

All in all the impact must be characterized as severe.


CREDITS
-------
The problem was first discovered and discussed by Niklas Deutschmann, 
who also wrote a proof of concept. BugAnt submitted the basic code for
solving the problem in the 3.2.x branch.

  // Joel


Go to the Top of This SecurityTracker Archive Page



Home   |    View Topics   |    Search   |    Contact Us   |    Help

Copyright 2004, SecurityGlobal.net LLC