Visitorbook LE Multiple Vulnerabilities
Westpoint Security Advisory
Title: VisitorBook LE Mail Relay and Cross Site Scripting
Risk Rating: Moderate
Software: FreeScripts VisitorBook LE
Platforms: Most Unix
Vendor URL: http://www.freescripts.com/
Author: Paul Johnston <paul@xxxxxxxxxxxxxxxx>
Date: 10th December 2003
Advisory ID#: wp-03-0001
Overview
========
VisitorBook is a "customizable, database-driven guestbook software ...
used all
over the net", which fails to escape various control characters in user
input.
This results in:
* Mail relaying
* Data loss
* Cross site scripting
Details
=======
Open mail relay
---------------
If $mailuser is set to 1 (not the default) then the script can be used as a
mail relay. This arises because line breaks are not escaped in the email
field,
so you can relay mail by setting the email address to something like:
victim@xxxxxxxxxxx
From: spammer@xxxxxxxxxxx
Subject: $$$ hardcore XXX
...
Guestbook database deleting / DoS
---------------------------------
Another consequence of the script failing to escape line breaks is that
anyone
can remotely delete the log - they just need to submit an entry with
more line
breaks that the value of $max_posts.
If you do this with Windows line breaks, then the database file is so
corrupted
afterwards that the script always gives "500 Internal Server Error".
The script also fails to escape pipe "|" characters, which it uses as a
field
deliminator, although it's unlikely this can be exploited.
Cross site scripting
--------------------
The "do" parameter is not escaped at all, which you can exploit like:
http://fester/cgi-bin/visitorbook.pl?do=<script>alert('hello')</script>
The user parameter is also not escaped. To exploit this you need to use
a rogue
DNS server to poison the script with a malicious reverse DNS response. More
about this below. Note: this would be difficult to exploit in practice
and was
not actually exploited in my tests.
Quote marks are not escaped in any parameters. You can exploit this by
signing
an entry with a web link like this:
http://" onmouseover="alert('hello')" crap="
Also, ampersands (&) are not escaped in any parameters, although it's
unlikely
this can be exploited.
Trust of reverse dns
--------------------
The script uses the logic that it logs the user's reverse DNS name if
available, or IP address otherwise. The problem with this is that the
reverse
DNS is untrusted data - someone can easily change their identity by setting
their reverse DNS to, say, "www.whitehouse.gov". This also leads to the
cross-
site scripting attack mentioned above.
Workarounds
===========
Mail relay
Disable user mails, by setting $mailuser to 0
Data deleting
Modify code to escape line break characters on all parameters
Cross site scripting
Modify code to escape <>&" characters on all parameters
Trusting reverse DNS
In Apache config set HostNameLookups to Off
Vendor notification
===================
4 Nov 2003 Mailed all the email addresses in the source code, whois
contacts
for domain.
No response.
5 Nov 2003 Raised a support ticket.
The vendor indicated that the free version of the code had not
been maintained for some time, but that sharing security
related
findings would be much appreciated.
10 Nov 2003 First detailed notification of vulnerabilities.
No response.
21 Nov 2003 Passed draft advisory to vendor; indicated intention to
publish
on 10 Dec.
No response.
9 Dec 2003 Reminded vendor of impending publication.
No response.
This advisory is available online at:
http://www.westpoint.ltd.uk/advisories/wp-03-0001.txt
--
Paul Johnston
Internet Security Specialist
Westpoint Limited
Albion Wharf, 19 Albion Street,
Manchester, M1 5LN
England
Tel: +44 (0)161 237 1028
Fax: +44 (0)161 237 1031
email: paul@xxxxxxxxxxxxxxxx
web: www.westpoint.ltd.uk