<<< Date Index >>>     <<< Thread Index >>>

Multiple vulnerabilities found in CSGuestbook by CoolSerlets.com




Audit of the script: http://www.coolservlets.com/CSGuestbook/
About this script: This is an open source GuestBook script offered by 
CoolServlets.com
About the audit: This audit was performed by Daxgrapol and Dopel for RACAT (a 
subgroup of CASOS in the cyberarmy.net community).

Note in advance: The script is dated at Feb 10, 2000, suggesting it is about 5 
years old.

Exploits found: 

File name: CSGuesbook.java
Method name: public void service()
Vulnerability Description: Although there is only one user mode currently 
implemented,
the client could potentially send any user mode it wanted including "admin"
which currently is not authenticated.

File name: GuesbookFilter.java
Method name: public String filterBadwords()
Vulnerability Description: Only the first special character is filtered off of 
the return string.
This can lead to string being return with escape characters concatenated
on the user input.

Ex. "Hello\\"
(found by: Dopel).

- Buffer overflow is possible (input field length not checked).
(found by: Daxgrapol).

Some logical coding errors:
- the resulting hyperlink in the URL field (website of the signer) is something 
like this: 
http://localhost:8080/guestbook/www.sitename.com
(where localhost:8080/guestbook refers to my local configuration)
The error is in GuestBookEntry.java, line 59:
return "<a href=\"" + url + "\">" + url + "</a>";
must be :
return "<a href=\"http://"; + url + "\">" + url + "</a>";
This because the transmission protocol is not specified.

- In the method addDatabaseEntry(req, res, db) the input fields presence are 
validate like this:
String entry_name = request.getParameter("name");
if (entry_name == null) entry_name = "";
Better solution is:
String entry_name = "";
entry_name = request.getParameter("name").trim();
(This in order to avoid a 'valid' entry like ' x').

- There is not a check on the maxlenght of each input field. Wherever I can put 
the entire 'Divine Commedy'. This check is imperative in the servlet code, 
suggested in the html form.

- The email address is not checked as a real one (like the web address). Not 
really important in a guestbook, but if I ask for them why not to check them?
(found by: Daxgrapol). 

Conclusion:
This project is actually outdated by so much that we hope no-one uses it 
anymore, if you still do, you should really consider updating to something more 
safe, and coded to more recent standards.
Still this report should show you how important proper coding is.

On behalf of RACAT and CASOS,
Anvar