-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 SA0006 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ +++++ VHCS 2.x HTTP Error Cross Site Scripting +++++ +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ PUBLISHED ON Nov 22, 2005 PUBLISHED AT http://moritz-naumann.com/adv/0006/vhcsxss/0006.txt http://moritz-naumann.com/adv/0006/vhcsxss/0006.txt.sig PUBLISHED BY Moritz Naumann IT Consulting & Services Hamburg, Germany http://moritz-naumann.com/ SECURITY at MORITZ hyphon NAUMANN d0t COM GPG key: http://moritz-naumann.com/keys/0x277F060C.asc AFFECTED APPLICATION OR SERVICE VHCS http://www.vhcs.net/ VHCS, the Virtual Hosting Control System, is a virtual hosting management application. AFFECTED VERSIONS Version 2.2.0 up to and including 2.4.6.2 BACKGROUND Cross Site Scripting, also known as XSS or CSS, describes the injection of malicious content into output produced by a web application. A common attack vector is the inclusion of arbitrary client side script code into the applications' output. Failure to completely sanitize user input from malicious content causes a web application to be vulnerable to Cross Site Scripting. http://en.wikipedia.org/wiki/XSS http://www.cgisecurity.net/articles/xss-faq.shtml ISSUE VHCS is subject to a XSS vulnerability on its HTTP error messages. This issue is caused by lack of input sanitation in vhcs/gui/errordocs/index.php which returns unfiltered web server environment variables. Successful exploitation may allow for impersonification through session stealing attacks. The following URL demonstrates this issue: [vhcs_basedir]/dev/inputvalidation%3Cscript%3Ealert(window.location.hash)%3B%3C/script%3E#XSS WORKAROUND Client: Disable Javascript. Server: Prevent access to vulnerable file(s). SOLUTIONS Moritz Naumann IT Consulting & Services has crafted a unified diff patch against VHCS 2.4.6.2 which is available at http://moritz-naumann.com/adv/0006/vhcsxss/patch/index.php.diff VHCS developers may provide a fix in the 2.6 release. A release date is not currently set. TIMELINE Oct 06, 2005 Discovery Oct 06, 2005 Code maintainer notified Oct 06, 2005 Code maintainer replies Nov 22, 2005 Public disclosure REFERENCES N/A ADDITIONAL CREDIT N/A LICENSE Creative Commons Attribution-ShareAlike License Germany http://creativecommons.org/licenses/by-sa/2.0/de/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (GNU/Linux) iD8DBQFDg4l+n6GkvSd/BgwRAnhcAKCEfl0VO/XNXvL9ltSkJzWMBnsGxwCdE269 2TBoq12ltOuH467cZqOUy1k= =IIUA -----END PGP SIGNATURE-----