Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Airkiosk/formlib application is XSS vuln

From: Raymond Pete <pete () airkiosk com>
Date: Thu, 01 Nov 2007 12:39:05 -0400
Had "Skein" posted to this group (bugtraq) asking for contact
information he would have received a response.  His posting here is
inaccurate and speculative.

DESCRIPTION:

The 3rd party module formlib.pl contained an error in handling/printing
of unsanitized Input data, which could lead to a malicious user
injecting code into the users displayed page via a custom generated
link, if this subroutine was called AND the users browser does not
encode the input string.

SECURITY IMPLICATIONS:

Low.  "Skein" has written separately (not on bugtraq) that the danger
was "for who want to steal cookies."  This speculation concerns sessions
in which cookies are involved.   However, the AirKiosk system does not
rely on cookies for session management.  The AirKiosk system does not
use cookies at all, and we discourage their use generally.

STATUS:

formlib.pl has been patched where applicable and possible code injection
is no longer possible.  



Raymond Pete
Operations Director, AirKiosk Systems
Sutra, Inc.

On Tue, 2007-10-30 at 00:40 +0000, skienlab () gmail com wrote:

In the last week I've found a XSS vuln into the Sutra's Airkiosk
application for the realtime distribution of flights/booking and
check-in interface (www.airkiosk.com).

The XSS is possible because they are using a VULN/OLD formlib.pl in
their application that permits to execute any JavaScript you like:

            &HtmlError("formlib.parse", "bjelli", "Error parsing $_, aborting.\n");

if you get the error 'f you need help, call bjelli.'.


I suppose it can be related to this flying companies (I've only tryed it
on Blu-express, and Jet2.com):

Aero, Jet2.com, Air southwest, manx2, airsea, republicaairways,
blu-express, highland airways, blueisland, tobagoexpress, evolavia,
zambian, menajet.com, snowflake, airwales and other that is can be easy
found by searching on google.




The maintainer (and the flying company blu-express) has been contacted
twice via mail in the last two weeks but choose not to respond at all.

Regards
Skien
Previous By Date Next
Previous By Thread Next

Current thread: