<<< Date Index >>>     <<< Thread Index >>>

Mephistoles Httpd 0.6.0final XSS



                           Donato Ferrante


Application:  Mephistoles Httpd
              http://sourceforge.net/projects/mephistoles

Version:      0.6.0final

Bug:          cross site scripting

Author:       Donato Ferrante
              e-mail: fdonato@xxxxxxxxxxxxx
              web:    www.autistici.org/fdonato



xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

1. Description
2. The bug
3. The code
4. The fix



xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

----------------
1. Description:
----------------

Vendor's Description:

"The Mephistoles Internet Suite includes at the present a HTTP server,
a FTP server, a DNS caching server, a (experimental and yet unsusable)
NetBIOS client and a client that can (currently) fetch pages via HTTP.
All programs written in Perl and small."



xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

------------
2. The bug:
------------

The program doesn't make a full check on the strings sent by the
client, in fact the input strings are not filtered and they will
appear in the returned page.



xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

-------------
3. The code:
-------------

To test the vulnerability simply use strings like:

http://[host]/<A_SCRIPT>

for example:

http://[host]/<script>alert("Test")</script>



xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

------------
4. The fix:
------------

The vendor was contacted and soon will be released a new version of
Mephistoles Httpd, so go on the Mephistoles' official web site:
http://sourceforge.net/projects/mephistoles
and check for a new version.

Or, if you want, you can use my following little patch, that should
fix the bug for the version 0.6.0final of Mephistoles Httpd:

--- mephistoles-httpd-0.6.0final-noarch.pl 2004-01-21 12:16:34.000000000
+0100
+++ patch.pl 2004-01-21 12:25:56.000000000 +0100
@@ -205,7 +205,7 @@
  my $ic;

  if (opendir(DIR,$trdr.$public)) { } else {
-  serr(404,$page);
+  serr(404,"");
   return;
   }

@@ -389,13 +389,13 @@
  $page=conv($page);   # convert $page from %XX-encoding to plain ASCII

  if (evilhacker($page)) {  # illegal filename
-  serr(403,$page);
+  serr(403,"");
   return;
  }

  if (($cgiholes==1) && (defined $getstr)) { # minimal protection for bad
cgi-scripts!
   if (evilhacker($getstr)) {
-   serr(403,$page);
+   serr(403,"");
    return;
   }
  }
@@ -411,7 +411,7 @@
      $trdr="/root/public_html/";
      $trp=$2;
     } else {
-     serr(403,$page);
+     serr(403,"");
     }
    } else {
     $page =~ /^\/\~(.+?)\/(.*?)$/g;
@@ -449,11 +449,11 @@
  if ($reqt==2) {    # POST-requests
   $ENV{"REQUEST_METHOD"}="POST";
   if ($postreq==0) {
-   serr(403,"$page");
+   serr(403,"");
   } else {
    if ($postreq==1) {
     if (iscgi($trp)) {
-     serr(403,"$page");
+     serr(403,"");
      return;
     }
    }
@@ -495,7 +495,7 @@
   $ENV{"REQUEST_METHOD"}="GET";

   if (!(-e $trdr.$trp)) {
-   serr(404,$page);
+   serr(404,"");
    return;
   }

@@ -550,7 +550,7 @@
   }
   close(SRC);
  } else {
-  serr(404,$page);
+  serr(404,"");
  }

 }



xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx