Recent Referer XSS vulnerabilities

Here is short summary of recent Referer XSS vulnerabilities discovered by eVuln team. Full list with details is available on the eVuln Security Advisories page.

Referer XSS in E-Blah Platinum.

Description.

Vulnerable script: Code/Routines.pl

Environment variable 'HTTP_REFERER' isn't properly sanitized. This can be used to post HTTP query with fake Referer value which may contain arbitrary html or script code. This code will be executed when administrator will open "Click Log".

Administrator's login and password are threatened.

Exploit.

Example of HTTP Query:

GET /cgi-bin/Blah.pl HTTP/1.0
Host: [host]
Referer: [XSS]

Solution.

Vendor-provided patch is available here:

http://www.eblah.com/forum/m-1140116897/

Multiple flaws in Leif M. Wright Blog.

Description.

All "txt" files isn't protected by htaccess(or any other ways) in default installiation. This can be used to retrieve administrator's password from config file.

"blog.cgi" script dont make password comparisson when identifying administrator by cookie.

Administrator has an ability to edit blog configuration including full path to sendmail program. This can be used to execute arbitrary shell commands.

System access is possible.

Environment variables HTTP_REFERER and HTTP_USER_AGENT are not properly sanitized. This can be used to post HTTP query with fake Referer or User-Agent values which may contain arbitrary html or script code. This code will be executed when administrator will open "Log" page.

Exploit.

Url example:

http://[host]/cgi-bin/blog/blogconfig.txt

Cookie: blogAdmin=true

Sendmail: /bin/ls

GET /cgi-bin/blog/blog.cgi HTTP/1.0
Host: [host]
Referer: [XSS]
User-Agent: [XSS]
Content-Type: application/x-www-form-urlencoded
Content-Length: 93

file=15-13.59.39.txt&year=2006&month=February&name=zz&comment=zzz&submit=Enter%20my%20comment

Solution

Solution is not available.

Clever Copy Referer and X-Forwarded-For XSS.

Description.

Vulnerable script: stats/script.php

Variables $_SERVER['HTTP_REFERER'] $_SERVER['HTTP_X_FORWARDED_FOR'] are not properly sanitized. This can be used to post HTTP query with fake Referer or X-Forwarded-For values which may contain arbitrary html or script code. This code will be executed when administrator will open Site Stats.

Administrator's session is threatened.

Exploit.

Example of HTTP Query:

GET /path//stats/script.php?image=1&javascript=false HTTP/1.0
Host: host
Referer: http://path/index.php<XSS>
X-Forwarded-For: anyIP<XSS>

Solution

Solution is not available.

Referer XSS in ExpressionEngine.

Description.

Vulnerable script: core.input.php

Variable $_SERVER['HTTP_REFERER'] isn't properly sanitized. This can be used to post HTTP query with fake Referer value which may contain arbitrary html or script code. This code will be executed when administrator(or any user) will open Referrers Statistics.

Administrator's session is threatened.

Exploit.

Example of HTTP Query:

GET /path/index.php HTTP/1.0
Host: host
Referer: http://<XSS>.com/;

Solution.

Here is information provided by vendor:

The $_SERVER['HTTP_REFERER'] variable is actually sanitized before inserted into the database (and thus before outputted). This is done not in the core.input.php file, but in the core.functions.php file where the processing is done. When sanitation is done in ExpressionEngine XSS code is converted into HTML entities making it impotent when displayed but still allowing an administrator to safely view the code. However, before being inserted into the database. ExpressionEngine also runs a referrer spam prevention script on the referrer that, unfortunately, converts the HTML entities back into characters. Thus, the XSS protection was basically removed by the spam prevention script.

Here is the location of the fixed file core.functions.php that users will have to upload to their ExpressionEngine site's system/core/ file:

http://www.pmachine.com/downloads/security_fix_20060122.zip