VHCS 2.x HTTP Error Cross Site Scripting

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: VHCS 2.x HTTP Error Cross Site Scripting
From: Moritz Naumann <securityfocus.com@xxxxxxxxxxxxxxxxxx>
Date: Tue, 22 Nov 2005 22:11:26 +0100
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
Openpgp: id=277F060C
User-agent: Mozilla Thunderbird 1.0.7 (X11/20051017)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


SA0006

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
+++++     VHCS 2.x HTTP Error Cross Site Scripting      +++++
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++


PUBLISHED ON
  Nov 22, 2005


PUBLISHED AT
  http://moritz-naumann.com/adv/0006/vhcsxss/0006.txt
  http://moritz-naumann.com/adv/0006/vhcsxss/0006.txt.sig


PUBLISHED BY
  Moritz Naumann IT Consulting & Services
  Hamburg, Germany
  http://moritz-naumann.com/

  SECURITY at MORITZ hyphon NAUMANN d0t COM
  GPG key: http://moritz-naumann.com/keys/0x277F060C.asc


AFFECTED APPLICATION OR SERVICE
  VHCS
  http://www.vhcs.net/

  VHCS, the Virtual Hosting Control System, is a virtual
  hosting management application.



AFFECTED VERSIONS
  Version 2.2.0 up to and including 2.4.6.2


BACKGROUND
  Cross Site Scripting, also known as XSS or CSS, describes
  the injection of malicious content into output produced
  by a web application. A common attack vector is the
  inclusion of arbitrary client side script code into the
  applications' output. Failure to completely sanitize user
  input from malicious content causes a web application
  to be vulnerable to Cross Site Scripting.

  http://en.wikipedia.org/wiki/XSS
  http://www.cgisecurity.net/articles/xss-faq.shtml


ISSUE
  VHCS is subject to a XSS vulnerability on its HTTP error
  messages. This issue is caused by lack of input sanitation
  in vhcs/gui/errordocs/index.php which returns unfiltered
  web server environment variables.

  Successful exploitation may allow for impersonification
  through session stealing attacks.

  The following URL demonstrates this issue:

[vhcs_basedir]/dev/inputvalidation%3Cscript%3Ealert(window.location.hash)%3B%3C/script%3E#XSS


WORKAROUND
  Client: Disable Javascript.
  Server: Prevent access to vulnerable file(s).


SOLUTIONS
  Moritz Naumann IT Consulting & Services has crafted a
  unified diff patch against VHCS 2.4.6.2 which is available at
    http://moritz-naumann.com/adv/0006/vhcsxss/patch/index.php.diff

  VHCS developers may provide a fix in the 2.6 release. A release
  date is not currently set.


TIMELINE
  Oct 06, 2005  Discovery
  Oct 06, 2005  Code maintainer notified
  Oct 06, 2005  Code maintainer replies
  Nov 22, 2005  Public disclosure


REFERENCES
  N/A


ADDITIONAL CREDIT
  N/A


LICENSE
  Creative Commons Attribution-ShareAlike License Germany
  http://creativecommons.org/licenses/by-sa/2.0/de/



-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)

iD8DBQFDg4l+n6GkvSd/BgwRAnhcAKCEfl0VO/XNXvL9ltSkJzWMBnsGxwCdE269
2TBoq12ltOuH467cZqOUy1k=
=IIUA
-----END PGP SIGNATURE-----

Follow-Ups:
- Re: VHCS 2.x HTTP Error Cross Site Scripting
  - From: Moritz Naumann

Prev by Date: [KAPDA::#14] - PHPPost XSS and HTML Injection
Next by Date: Horde MIME Viewer vulnerability
Previous by thread: [KAPDA::#14] - PHPPost XSS and HTML Injection
Next by thread: Re: VHCS 2.x HTTP Error Cross Site Scripting
Index(es):
- Date
- Thread