Escapade Scripting Engine XSS Vulnerability and Path Disclosure

[Bahaa Naamneh <b_naamneh () hotmail com>]

Escapade Scripting Engine XSS Vulnerability and Path Disclosure


Published: 9 September 2003

Released: 9 September 2003

Affected Systems: Escapade Scripting Engine

Vendor: http://www.escapade.org , http://www.squishedmosquito.com

Issue: Remote attackers can inject XSS script and know the path of the 
site. 


Description:
============
Escapade, or ESP for short, is a server-side scripting language that 
provides an interface to back-end database contents. Specifically 
designed to create dynamic information from this data, Escapade can be 
used to generate any kind of document - HTML, XML, text, and more. 
While server-side scripting is not a new concept, ESP is a breakthrough 
product that will enable programmers to much more easily have access to 
data in databases in their web pages without having to resort to ASP or 
complicated back-end Perl or PHP scripts. 


Details:
========
It's possibile to inject XSS script in the method variable. 

Example: 

http://www.site.com/cgi-bin/esp?PAGE=<script>alert(document.domain)
</script>

It's possible to make a malformed http request for many variables in 
Escapade and in doing so trigger an error. The resulting error message 
will 
disclose potentially sensitive installation path information to the 
remote attacker. 

Example:

http://www.site.com/cgi-bin/esp?PAGE=!@#$%


Solution:
=========
The vendor has been contacted and a patch is not yet produced.


Suggestions:
============
Filter the method variable (xss problem), filter all variables. 


Discovered by / credit:
=======================
Bahaa Naamneh
b_naamneh () hotmail com