Re: Airkiosk/formlib application is XSS vuln

[skien <skienlab () gmail com>]

Raymond Pete wrote:
> Had "Skein" posted to this group (bugtraq) asking for contact
> information he would have received a response.  His posting here is
> inaccurate and speculative.

speculative? why?

> DESCRIPTION:
>
> The 3rd party module formlib.pl contained an error in handling/printing
> of unsanitized Input data, which could lead to a malicious user
> injecting code into the users displayed page via a custom generated
> link, if this subroutine was called AND the users browser does not
> encode the input string.

This is inaccurate.
There is another way to use your vuln (as not direct on typing it in to
the browser), the problem of encoding input can be easily overcome using
a POST method that not encode the input or a FLASH/ACTIONSCRIPT.

So re-creating a web-banner that links to your application with a new
page (document.write) .js isn't very difficult to do.

> SECURITY IMPLICATIONS:
>
> Low.  "Skein" has written separately (not on bugtraq) that the danger
> was "for who want to steal cookies."  This speculation concerns sessions
> in which cookies are involved.   However, the AirKiosk system does not
> rely on cookies for session management.  The AirKiosk system does not
> use cookies at all, and we discourage their use generally.

.

> STATUS:
>
> formlib.pl has been patched where applicable and possible code injection
> is no longer possible.  

http://www.blu-express.com/cgi-bin/airkiosk/I7/81015lfa?K=1&K=2&HI%20%MR%20PETE

...
> Raymond Pete
> Operations Director, AirKiosk Systems
> Sutra, Inc.

Skien. not skein.