Re: Airkiosk/formlib application is XSS vuln
Had "Skein" posted to this group (bugtraq) asking for contact
information he would have received a response. His posting here is
inaccurate and speculative.
DESCRIPTION:
The 3rd party module formlib.pl contained an error in handling/printing
of unsanitized Input data, which could lead to a malicious user
injecting code into the users displayed page via a custom generated
link, if this subroutine was called AND the users browser does not
encode the input string.
SECURITY IMPLICATIONS:
Low. "Skein" has written separately (not on bugtraq) that the danger
was "for who want to steal cookies." This speculation concerns sessions
in which cookies are involved. However, the AirKiosk system does not
rely on cookies for session management. The AirKiosk system does not
use cookies at all, and we discourage their use generally.
STATUS:
formlib.pl has been patched where applicable and possible code injection
is no longer possible.
Raymond Pete
Operations Director, AirKiosk Systems
Sutra, Inc.
On Tue, 2007-10-30 at 00:40 +0000, skienlab@xxxxxxxxx wrote:
> In the last week I've found a XSS vuln into the Sutra's Airkiosk
> application for the realtime distribution of flights/booking and
> check-in interface (www.airkiosk.com).
>
> The XSS is possible because they are using a VULN/OLD formlib.pl in
> their application that permits to execute any JavaScript you like:
>
> &HtmlError("formlib.parse", "bjelli", "Error parsing $_,
> aborting.\n");
>
> if you get the error 'f you need help, call bjelli.'.
>
>
> I suppose it can be related to this flying companies (I've only tryed it
> on Blu-express, and Jet2.com):
>
> Aero, Jet2.com, Air southwest, manx2, airsea, republicaairways,
> blu-express, highland airways, blueisland, tobagoexpress, evolavia,
> zambian, menajet.com, snowflake, airwales and other that is can be easy
> found by searching on google.
>
>
>
>
> The maintainer (and the flying company blu-express) has been contacted
> twice via mail in the last two weeks but choose not to respond at all.
>
> Regards
> Skien
>