Re: [Secureideas-base-devel] Re: 3 XSS in BASE 1.2.4
Brought to you by:
secureideas,
sinukas
Menu
▾
▴
Re: [Secureideas-base-devel] Re: 3 XSS in BASE 1.2.4
|
From: nikns <ni...@se...> - 2006-04-05 17:28:47
|
Finaly SF CVS service is up. Fixes against thoose $_SERVER XSS has been commited. Thank you Adam for letting us know. btw, you have been credited in: http://www.osvdb.org/20835 and http://www.osvdb.org/24307 Thanks Nikns On Wed, Mar 29, 2006 at 12:00:51PM -0600, Adam Ely wrote: >Referring to PrintFreshPage? Not sure if you saw that email, I had some >trouble last night with my emails going out, but I sent one referring to >the PrintFreshPage function that seemed to be the offending code. > > >Adam > > >> Actually there is one big XSS. >> It doesn't metter which page you access or what var you use, >> for example: >> http://[target]/base/base_main.php?"><script>alert(document.cookie)</script> >> will work just fine. >> >> It seems that this kind of XSS will only work with IE!? >> Opera just like mozilla automaticly encodes url. >> >> >> On Wed, Mar 29, 2006 at 10:39:53AM -0600, Adam Ely wrote: >>>Something like this should do the trick, leading the unsuspecting >>> security >>>admin to go to 780inc.com instead of the base installation: >>> >>>http://example.com/base-snort/base_stat_ipaddr.php?back=1&ip=1.1.1.1&netmask="><script>document.location='http://www.780inc.com'</script> >>> >>>Encoding the attack string of course would help hide this in the real >>>world but left ASCII here for viewing. >>> >>> >>>Adam >>> >>> >>> >>> >>> >>>> Right! >>>> Now I see where is problem (thanks to IE). >>>> Unsafe use of $_SERVER['PHP_SELF'] variable. >>>> We santized every post/get variable in fear of sql injections, >>>> but forgot about PHP_SELF (it is used in back button and refresh url). >>>> >>>> Is there attack scenario for XSS in BASE? >>>> Like sending specially crafted url of base to someone? >>>> >>>> We will fix this. >>>> Nikns >>>> >>>> On Tue, Mar 28, 2006 at 10:35:50PM -0600, Adam Ely wrote: >>>>>Hello, >>>>> >>>>>The footer page says 1.2.4 and I know the code was updated as I noticed >>>>>the changes from the last version. I am away from the system BASE is >>>>>installed on so I can not review the function which you refer, but I >>>>> would >>>>>say give it a try in your browser and see what happens. With that being >>>>>said I would suggest using IE since Firefox (other browsers too?) are >>>>> not >>>>>as prone to XSS. >>>>> >>>>>Adam >>>>> >>>>> >>>>>> Hi Adam! >>>>>> >>>>>> Are you sure that you are using BASE 1.2.4!!!??? >>>>>> >>>>>> Lets take a look, for example, on netmask santization in ipaddr.php: >>>>>> $netmask = ImportHTTPVar("netmask", VAR_DIGIT); >>>>>> I don't see how XSS can be possible. >>>>>> >>>>>> Nikns >>>>>> >>>>>> On Tue, Mar 28, 2006 at 10:46:13PM -0500, Kevin Johnson wrote: >>>>>>>On Mar 28, 2006, at 10:35 AM, Adam Ely wrote: >>>>>>> >>>>>>>>Here are 3 XSS vulns that I found in BASE 1.2.4 this week. I have >>>>>>>> not >>>>>>>>checked any prior versions. >>>>>>>> >>>>>>>>http://example.com/base/base_graph_main.php?back="><script>alert >>>>>>>>("780")</script><" >>>>>>>> >>>>>>>>http://example.com/base/base_stat_ipaddr.php? >>>>>>>>ip=1.1.1.1&netmask="><script>alert("780")</script><" >>>>>>>> >>>>>>>>http://example.com/base-snort/base_qry_alert.php? >>>>>>>>submit=<script>780</script>&sort_order= >>>>>>>> >>>>>>>> >>>>>>>>Adam >>>>>>> >>>>>>>Hi- >>>>>>> >>>>>>>Thanks for letting us know. I am forwarding your email to the BASE >>>>>>>developer list and we will see what we can do to test this and patch. >>>>>>> >>>>>>>Kevin >>>>>>> >>>>>>>--------------------- >>>>>>>BASE Project Lead >>>>>>>http://sourceforge.net/projects/secureideas >>>>>>>http://base.secureideas.net >>>>>>>The next step in IDS analysis! >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>>------------------------------------------------------- >>>>>>>This SF.Net email is sponsored by xPML, a groundbreaking scripting >>>>>>> language >>>>>>>that extends applications into web and mobile media. Attend the live >>>>>>> webcast >>>>>>>and join the prime developer group breaking into this new coding >>>>>>> territory! >>>>>>>http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642 >>>>>>>_______________________________________________ >>>>>>>Secureideas-base-devel mailing list >>>>>>>Sec...@li... >>>>>>>https://lists.sourceforge.net/lists/listinfo/secureideas-base-devel >>>>>> >>>>> >>>>> >>>>>-- >>>>>Adam Ely >>>>>780 Inc. >>>>>www.780inc.com >>>>>email: ada...@78... >>>>>phone: 678.283.3837 >>>>> >>>>> >>>>>This message is intended only for the use of the Addressee and may >>>>> contain >>>>>information that is PRIVILEGED and CONFIDENTIAL. If you are not the >>>>>intended recipient, dissemination of this communication is prohibited. >>>>> If >>>>>you have received this communication in error, please erase all copies >>>>> of >>>>>the message and its attachments and notify us immediately. >>>>> >>>> >>> >>> >>>-- >>>Adam Ely >>>780 Inc. >>>www.780inc.com >>>email: ada...@78... >>>phone: 678.283.3837 >>> >>> >>>This message is intended only for the use of the Addressee and may >>> contain >>>information that is PRIVILEGED and CONFIDENTIAL. If you are not the >>>intended recipient, dissemination of this communication is prohibited. If >>>you have received this communication in error, please erase all copies of >>>the message and its attachments and notify us immediately. >>> >> > > >-- >Adam Ely >780 Inc. >www.780inc.com >email: ada...@78... >phone: 678.283.3837 > > >This message is intended only for the use of the Addressee and may contain >information that is PRIVILEGED and CONFIDENTIAL. If you are not the >intended recipient, dissemination of this communication is prohibited. If >you have received this communication in error, please erase all copies of >the message and its attachments and notify us immediately. > > > >------------------------------------------------------- >This SF.Net email is sponsored by xPML, a groundbreaking scripting language >that extends applications into web and mobile media. Attend the live webcast >and join the prime developer group breaking into this new coding territory! >http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642 >_______________________________________________ >Secureideas-base-devel mailing list >Sec...@li... >https://lists.sourceforge.net/lists/listinfo/secureideas-base-devel |