RXGoogle.CGI Cross Site Scripting Vulnerability
BID:9575
Info
RXGoogle.CGI Cross Site Scripting Vulnerability
| Bugtraq ID: | 9575 |
| Class: | Input Validation Error |
| CVE: |
CVE-2004-0251 |
| Remote: | Yes |
| Local: | No |
| Published: | Feb 04 2004 12:00AM |
| Updated: | Jul 12 2007 05:17PM |
| Credit: | Discovery of this issue has been credited to Shaun Colley <[email protected]>. |
| Vulnerable: |
rxgoogle.cgi rxgoogle.cgi 1.0 All Enthusiast Inc ReviewPost PHP Pro 2.5.1 All Enthusiast Inc ReviewPost PHP Pro 2.5 All Enthusiast Inc ReviewPost PHP Pro 1.0.2 |
| Not Vulnerable: | |
Discussion
RXGoogle.CGI Cross Site Scripting Vulnerability
The rxgoogle.cgi search script is prone to a cross-site scripting vulnerability because the software fails to sanitize user input and allows various metacharacters that may facilitate cross-site scripting attacks.
An attacker may leverage this issue to execute arbitrary code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks.
The rxgoogle.cgi search script is prone to a cross-site scripting vulnerability because the software fails to sanitize user input and allows various metacharacters that may facilitate cross-site scripting attacks.
An attacker may leverage this issue to execute arbitrary code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks.
Exploit / POC
RXGoogle.CGI Cross Site Scripting Vulnerability
No exploit is required to leverage this issue. The following proof of concept has been provided:
http://www.example.com/cgi-bin/rxgoogle.cgi?query=%3Cscript%3Ealert%28%22XSS%22%29%3C%2Fscript%3E
No exploit is required to leverage this issue. The following proof of concept has been provided:
http://www.example.com/cgi-bin/rxgoogle.cgi?query=%3Cscript%3Ealert%28%22XSS%22%29%3C%2Fscript%3E
Solution / Fix
RXGoogle.CGI Cross Site Scripting Vulnerability
Solution:
The following patch has been submitted by a third party and is untested:
----START
--- rxgoogle.cgi 2004-02-04 14:20:38.000000000 -0500
+++ test 2004-02-04 14:27:29.000000000 -0500
@@ -197,7 +197,13 @@
my $req = new HTTP::Request GET => "$url";
my $res = $ua->request($req);
if ($res->is_success) { $page_returned =
$res->content; } return $page_returned;}
-sub parse{my (@pairs, %in);my (@pairs, %in);my
($buffer, $pair, $name, $value);if
($ENV{'REQUEST_METHOD'} eq 'GET') {@pairs = split(/&/,
$ENV{'QUERY_STRING'});}elsif($ENV{'REQUEST_METHOD'} eq
'POST') {read(STDIN, $buffer,
$ENV{'CONTENT_LENGTH'});@pairs = split(/&/,
$buffer);}PAIR: foreach $pair (@pairs) {($name,
$value) = split(/=/, $pair);$name =~ tr/+/ /;$name =~
s/%([a-fA-F0-9][a-fA-F0-9])/pack("C",
hex($1))/eg;$value =~ tr/+/ /;$value =~
s/%([a-fA-F0-9][a-fA-F0-9])/pack("C",
hex($1))/eg;($value eq "---") and next PAIR;exists
$in{$name} ? ($in{$name} .= "~~$value") : ($in{$name}
= $value);}return %in;}
+
+# This parsing routine poorly sanitized user-input,
thus allowing injection
+# of metametachars, such as '<' and '>'. I have
patched the problem now, by
+# filtering input quite well now.
+#
+# -Shaun2k2
+sub parse{$OK_CHARS='-a-zA-Z0-9_.@'; my (@pairs,
%in);my (@pairs, %in);my ($buffer, $pair, $name,
$value);if ($ENV{'REQUEST_METHOD'} eq 'GET') {@pairs =
split(/&/,
$ENV{'QUERY_STRING'});}elsif($ENV{'REQUEST_METHOD'} eq
'POST') {read(STDIN, $buffer,
$ENV{'CONTENT_LENGTH'});@pairs = split(/&/,
$buffer);}PAIR: foreach $pair (@pairs) {($name,
$value) = split(/=/, $pair);$name =~ tr/+/ /;$name =~
s/%([a-fA-F0-9][a-fA-F0-9])/pack("C",
hex($1))/eg;$name =~ s/[^$OK_CHARS]/_/go;$value =~
tr/+/ /;$value =~
s/%([a-fA-F0-9][a-fA-F0-9])/pack("C",
hex($1))/eg;$value =~ s/[^$OK_CHARS]/_/go;($value eq
"---") and next PAIR;exists $in{$name} ? ($in{$name}
.= "~~$value") : ($in{$name} = $value);}return %in;}
sub html_navbar{my
($maxhits,$current,$numhits,$url)=0;my ($html, $nh,
$prev_hit, $next_hit, $left, $right, $first, $last,
$lower, $upper)="";$maxhits =shift; $numhits =shift;
$current =shift; $url =shift;
$nh=int($current/$maxhits)+1; $prev_hit=$nh-1;
$next_hit=$nh+1; if (($current + $maxhits) >=
$numhits) {$next_hit=0;}if ($numhits > $maxhits) {
$left = $nh; $right = int($numhits/$maxhits) -
$nh; ($left > 7) ? ($lower = $left -
7) : ($lower = 1); ($right > 7) ? ($upper = $nh
+ 7) : ($upper = int($numhits/$maxhits) + 1);
(7 - $nh >= 0) and ($upper = $upper + (8 - $nh));
($nh > ($numhits/$maxhits - 7)) and ($lower = $lower
- ($nh - int($numhits/$maxhits - 7) - 1));
$html = ""; ($nh > 1) and ($html .= qq~<a
href="$url&start=$prev_hit">[previous]</a> ~);
for ($i = 1; $i <= int($numhits/$maxhits) + 1; $i++) {
if ($i < $lower) { $html .= " ... "; $i =
($lower-1); next; } if ($i >
$upper) { $html .= " ... "; last; } ($i ==
$nh) ? ($html .= qq~$i ~) :
($html .= qq~<a href="$url&start=$i">$i</a> ~);
(($i * $maxhits) >= $numhits) and last;
}if ($next_hit) { $html .= qq~<a
href="$url&start=$next_hit">[next]</a> ~ unless ($nh
== $i); } }return $html;}
1;
@@ -224,4 +230,4 @@
print WRITEIT "$site\n";
close(WRITEIT);
}
-
\ No newline at end of file
+
---END
Apply the patch as below:
$ patch rxgoogle.cgi rxgoogle-xss.patch
Solution:
The following patch has been submitted by a third party and is untested:
----START
--- rxgoogle.cgi 2004-02-04 14:20:38.000000000 -0500
+++ test 2004-02-04 14:27:29.000000000 -0500
@@ -197,7 +197,13 @@
my $req = new HTTP::Request GET => "$url";
my $res = $ua->request($req);
if ($res->is_success) { $page_returned =
$res->content; } return $page_returned;}
-sub parse{my (@pairs, %in);my (@pairs, %in);my
($buffer, $pair, $name, $value);if
($ENV{'REQUEST_METHOD'} eq 'GET') {@pairs = split(/&/,
$ENV{'QUERY_STRING'});}elsif($ENV{'REQUEST_METHOD'} eq
'POST') {read(STDIN, $buffer,
$ENV{'CONTENT_LENGTH'});@pairs = split(/&/,
$buffer);}PAIR: foreach $pair (@pairs) {($name,
$value) = split(/=/, $pair);$name =~ tr/+/ /;$name =~
s/%([a-fA-F0-9][a-fA-F0-9])/pack("C",
hex($1))/eg;$value =~ tr/+/ /;$value =~
s/%([a-fA-F0-9][a-fA-F0-9])/pack("C",
hex($1))/eg;($value eq "---") and next PAIR;exists
$in{$name} ? ($in{$name} .= "~~$value") : ($in{$name}
= $value);}return %in;}
+
+# This parsing routine poorly sanitized user-input,
thus allowing injection
+# of metametachars, such as '<' and '>'. I have
patched the problem now, by
+# filtering input quite well now.
+#
+# -Shaun2k2
+sub parse{$OK_CHARS='-a-zA-Z0-9_.@'; my (@pairs,
%in);my (@pairs, %in);my ($buffer, $pair, $name,
$value);if ($ENV{'REQUEST_METHOD'} eq 'GET') {@pairs =
split(/&/,
$ENV{'QUERY_STRING'});}elsif($ENV{'REQUEST_METHOD'} eq
'POST') {read(STDIN, $buffer,
$ENV{'CONTENT_LENGTH'});@pairs = split(/&/,
$buffer);}PAIR: foreach $pair (@pairs) {($name,
$value) = split(/=/, $pair);$name =~ tr/+/ /;$name =~
s/%([a-fA-F0-9][a-fA-F0-9])/pack("C",
hex($1))/eg;$name =~ s/[^$OK_CHARS]/_/go;$value =~
tr/+/ /;$value =~
s/%([a-fA-F0-9][a-fA-F0-9])/pack("C",
hex($1))/eg;$value =~ s/[^$OK_CHARS]/_/go;($value eq
"---") and next PAIR;exists $in{$name} ? ($in{$name}
.= "~~$value") : ($in{$name} = $value);}return %in;}
sub html_navbar{my
($maxhits,$current,$numhits,$url)=0;my ($html, $nh,
$prev_hit, $next_hit, $left, $right, $first, $last,
$lower, $upper)="";$maxhits =shift; $numhits =shift;
$current =shift; $url =shift;
$nh=int($current/$maxhits)+1; $prev_hit=$nh-1;
$next_hit=$nh+1; if (($current + $maxhits) >=
$numhits) {$next_hit=0;}if ($numhits > $maxhits) {
$left = $nh; $right = int($numhits/$maxhits) -
$nh; ($left > 7) ? ($lower = $left -
7) : ($lower = 1); ($right > 7) ? ($upper = $nh
+ 7) : ($upper = int($numhits/$maxhits) + 1);
(7 - $nh >= 0) and ($upper = $upper + (8 - $nh));
($nh > ($numhits/$maxhits - 7)) and ($lower = $lower
- ($nh - int($numhits/$maxhits - 7) - 1));
$html = ""; ($nh > 1) and ($html .= qq~<a
href="$url&start=$prev_hit">[previous]</a> ~);
for ($i = 1; $i <= int($numhits/$maxhits) + 1; $i++) {
if ($i < $lower) { $html .= " ... "; $i =
($lower-1); next; } if ($i >
$upper) { $html .= " ... "; last; } ($i ==
$nh) ? ($html .= qq~$i ~) :
($html .= qq~<a href="$url&start=$i">$i</a> ~);
(($i * $maxhits) >= $numhits) and last;
}if ($next_hit) { $html .= qq~<a
href="$url&start=$next_hit">[next]</a> ~ unless ($nh
== $i); } }return $html;}
1;
@@ -224,4 +230,4 @@
print WRITEIT "$site\n";
close(WRITEIT);
}
-
\ No newline at end of file
+
---END
Apply the patch as below:
$ patch rxgoogle.cgi rxgoogle-xss.patch
References
RXGoogle.CGI Cross Site Scripting Vulnerability
References:
References:
- ReviewPost PHP Pro (All Enthusiast Inc)
- rxgoogle.cgi (HotScripts)
- rxgoogle.cgi XSS Vulnerability. (Shaun Colley
)