XSS Bug in Cherokee Webserver

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: XSS Bug in Cherokee Webserver
From: rubengarrote@xxxxxxxxxxxxx
Date: 6 Apr 2006 23:44:55 -0000
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm

Tuesday 4 of April of 2006, I have detected that it is possible to mount an 
attack of the type Cross Site Scripting (XSS) in cherokee-0.5.0 and all 
previous versions.

The problem resides, when introducing code HTML in the URL. Because previously, 
it was let now of a seemed failure, from version 0.4.8 filter the characters < 
> when an error 404 happens. But if cherokee does not understand the request 
(Error 400) gives back the string introduced by the user, without no 
modification, allowing that can be injected I code HTML, to the client.

Proofs of concepts: 
http://localhost:80<script>alert("XSS_Discovered_by_Ruben_Garrote_Garcia_4_Mar_2006");</script>
 
http://localhost/..<script>alert("XSS_Discovered_by_Ruben_Garrote_Garcia_4_Mar_2006");<script>

Version not vulnerable: cherokee-0.5.1
Web Cherokee: www.0x50.org

Credits:
Ruben Garrote Garcia
rubengarrote@xxxxxxxxxxxxx

Prev by Date: Re: Flaw in commonly used bash random seed method
Next by Date: [SECURITY] [DSA 1029-1] New libphp-adodb packages fix several vulnerabilities
Previous by thread: [SECURITY] [DSA 1027-1] New mailman packages fix denial of service
Next by thread: [SECURITY] [DSA 1029-1] New libphp-adodb packages fix several vulnerabilities
Index(es):
- Date
- Thread