<<< Date Index >>>     <<< Thread Index >>>

XSS in GreyMatter blog



Graymatter - perl based web blog.
offsite: http://www.greymatterforums.com/
GM analyze posting comments and if post contain some dangerous code (like
<script></script>), administrator get message about it   in log files. Log
files contain  not only message, but dangerous code.
When admin try to look log files (Admin panel Options: "View Control Panel
Log"), code execute in admin's browser.
Example attack:
Add comments:
Name: <script>alert('XSS')</script>
Comment:
<meta http-equiv="refresh" content="0;
url=http://site_with_danger_content.evil"/>

And admin can't enter in "View Control Panel Log" menu, because this page 
is redirecting on attacker site.
Solution:
Edit gm-library.cgi. Like that:
-----------------------------------------------------------
open (FUNNYFEET, "gm-cplog.cgi");
@gmlogfile = <FUNNYFEET>;
close (FUNNYFEET);

foreach $gmlogfileline (@gmlogfile) {
        chomp ($gmlogfileline);
        $gmlogfileline=~s/<b>/#BOLD_OPEN#/ig;
        $gmlogfileline=~s/<\/b>/#BOLD_CLOSED#/ig;
        $gmlogfileline=~s/<font size="1">/#FONT_OPEN#/ig;
        $gmlogfileline=~s/<\/font>/#FONT_CLOSED#/ig;
        $gmlogfileline=~s/<|>|&lt;|&gt;/#/ig;
        $gmlogfileline=~s/#BOLD_OPEN#/<b>/ig;
        $gmlogfileline=~s/#BOLD_CLOSED#/<\/b>/iig;
        $gmlogfileline=~s/#FONT_OPEN#/<font size="1">/g;
        $gmlogfileline=~s/#FONT_CLOSED#/<\/font>/ig;
        print "$gmlogfileline<BR>";
}
print qq(<font size="1">All danger tags replace with # symbol</font><BR>);
-------------------------------------------------------
Sory for my english, it's not my primary language.
---------------------------------------------------------
http://www.securityinfo.ru