Donato Ferrante Application: Mephistoles Httpd http://sourceforge.net/projects/mephistoles Version: 0.6.0final Bug: cross site scripting Author: Donato Ferrante e-mail: fdonato@autistici.org web: www.autistici.org/fdonato xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx 1. Description 2. The bug 3. The code 4. The fix xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx ---------------- 1. Description: ---------------- Vendor's Description: "The Mephistoles Internet Suite includes at the present a HTTP server, a FTP server, a DNS caching server, a (experimental and yet unsusable) NetBIOS client and a client that can (currently) fetch pages via HTTP. All programs written in Perl and small." xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx ------------ 2. The bug: ------------ The program doesn't make a full check on the strings sent by the client, in fact the input strings are not filtered and they will appear in the returned page. xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx ------------- 3. The code: ------------- To test the vulnerability simply use strings like: http://[host]/ for example: http://[host]/ xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx ------------ 4. The fix: ------------ The vendor was contacted and soon will be released a new version of Mephistoles Httpd, so go on the Mephistoles' official web site: http://sourceforge.net/projects/mephistoles and check for a new version. Or, if you want, you can use my following little patch, that should fix the bug for the version 0.6.0final of Mephistoles Httpd: --- mephistoles-httpd-0.6.0final-noarch.pl 2004-01-21 12:16:34.000000000 +0100 +++ patch.pl 2004-01-21 12:25:56.000000000 +0100 @@ -205,7 +205,7 @@ my $ic; if (opendir(DIR,$trdr.$public)) { } else { - serr(404,$page); + serr(404,""); return; } @@ -389,13 +389,13 @@ $page=conv($page); # convert $page from %XX-encoding to plain ASCII if (evilhacker($page)) { # illegal filename - serr(403,$page); + serr(403,""); return; } if (($cgiholes==1) && (defined $getstr)) { # minimal protection for bad cgi-scripts! if (evilhacker($getstr)) { - serr(403,$page); + serr(403,""); return; } } @@ -411,7 +411,7 @@ $trdr="/root/public_html/"; $trp=$2; } else { - serr(403,$page); + serr(403,""); } } else { $page =~ /^\/\~(.+?)\/(.*?)$/g; @@ -449,11 +449,11 @@ if ($reqt==2) { # POST-requests $ENV{"REQUEST_METHOD"}="POST"; if ($postreq==0) { - serr(403,"$page"); + serr(403,""); } else { if ($postreq==1) { if (iscgi($trp)) { - serr(403,"$page"); + serr(403,""); return; } } @@ -495,7 +495,7 @@ $ENV{"REQUEST_METHOD"}="GET"; if (!(-e $trdr.$trp)) { - serr(404,$page); + serr(404,""); return; } @@ -550,7 +550,7 @@ } close(SRC); } else { - serr(404,$page); + serr(404,""); } } xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx