[KA Advisory 0411291] IPCop Cross Site Scripting Vulnerability in "proxylog.dat"
IPCop Cross Site Scripting Vulnerability in "proxylog.dat"
http://www.kurczaba.com/html/security/0411291.htm
----------------------------------------------------------
Overview:
"IPCop implements existing technology, secure programming practices and
outstanding new concepts to make it ‘the’ Linux Distribution for protecting
single home computers, to large corporate networks from intrusions and
attacks." -http://www.ipcop.org
Vendor:
IPCop (http://www.ipcop.org)
Affected Systems/Configuration:
1.4.1, possibly older versions
Vulnerability/Exploit:
A Cross Site Scripting vulnerability has been found in the IPCop web interface.
The "proxylog.dat" page allows the IPCop administrators to review browsed
websites that have been processed through Squid. By creating a specially
crafted HTTP request, it is possible to inject script code into the
"proxylog.dat" page. The variables "$url" and "$part" are not sanitized before
being sent to the user. When the administrators view the page, the script code
will be executed.
Proof of Concept:
The following HTTP request example will cause script injection into the proxy
log:
-----START PoC-----
GET /<script>alert('XSS_PoC')</script> HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg,
application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Host: example.com
Connection: Close
-----END PoC-------
Workaround:
1) Open /home/httpd/cgi-bin/logs.cgi/proxylog.dat
2) Locate the following text: unless (length($part) < 60) { $part =
"${part}..."; }
3) Insert the following five lines below:
#Filter out < and >
$url =~s/</</g;
$part =~s/</</g;
$url =~s/>/>/g;
$part =~s/>/>/g;
Date Discovered:
November 29, 2004
Severity:
Low
Credit:
Paul Kurczaba
Kurczaba Associates