RXGoogle.CGI Cross Site Scripting Vulnerability

Solution:
The following patch has been submitted by a third party and is untested:

----START
--- rxgoogle.cgi 2004-02-04 14:20:38.000000000 -0500
+++ test 2004-02-04 14:27:29.000000000 -0500
@@ -197,7 +197,13 @@
my $req = new HTTP::Request GET => "$url";
my $res = $ua->request($req);
if ($res->is_success) { $page_returned =
$res->content; } return $page_returned;}
-sub parse{my (@pairs, %in);my (@pairs, %in);my
($buffer, $pair, $name, $value);if
($ENV{'REQUEST_METHOD'} eq 'GET') {@pairs = split(/&/,
$ENV{'QUERY_STRING'});}elsif($ENV{'REQUEST_METHOD'} eq
'POST') {read(STDIN, $buffer,
$ENV{'CONTENT_LENGTH'});@pairs = split(/&/,
$buffer);}PAIR: foreach $pair (@pairs) {($name,
$value) = split(/=/, $pair);$name =~ tr/+/ /;$name =~
s/%([a-fA-F0-9][a-fA-F0-9])/pack("C",
hex($1))/eg;$value =~ tr/+/ /;$value =~
s/%([a-fA-F0-9][a-fA-F0-9])/pack("C",
hex($1))/eg;($value eq "---") and next PAIR;exists
$in{$name} ? ($in{$name} .= "~~$value") : ($in{$name}
= $value);}return %in;}
+
+# This parsing routine poorly sanitized user-input,
thus allowing injection
+# of metametachars, such as '<' and '>'. I have
patched the problem now, by
+# filtering input quite well now.
+#
+# -Shaun2k2
+sub parse{$OK_CHARS='-a-zA-Z0-9_.@'; my (@pairs,
%in);my (@pairs, %in);my ($buffer, $pair, $name,
$value);if ($ENV{'REQUEST_METHOD'} eq 'GET') {@pairs =
split(/&/,
$ENV{'QUERY_STRING'});}elsif($ENV{'REQUEST_METHOD'} eq
'POST') {read(STDIN, $buffer,
$ENV{'CONTENT_LENGTH'});@pairs = split(/&/,
$buffer);}PAIR: foreach $pair (@pairs) {($name,
$value) = split(/=/, $pair);$name =~ tr/+/ /;$name =~
s/%([a-fA-F0-9][a-fA-F0-9])/pack("C",
hex($1))/eg;$name =~ s/[^$OK_CHARS]/_/go;$value =~
tr/+/ /;$value =~
s/%([a-fA-F0-9][a-fA-F0-9])/pack("C",
hex($1))/eg;$value =~ s/[^$OK_CHARS]/_/go;($value eq
"---") and next PAIR;exists $in{$name} ? ($in{$name}
.= "~~$value") : ($in{$name} = $value);}return %in;}
sub html_navbar{my
($maxhits,$current,$numhits,$url)=0;my ($html, $nh,
$prev_hit, $next_hit, $left, $right, $first, $last,
$lower, $upper)="";$maxhits =shift; $numhits =shift;
$current =shift; $url =shift;
$nh=int($current/$maxhits)+1; $prev_hit=$nh-1;
$next_hit=$nh+1; if (($current + $maxhits) >=
$numhits) {$next_hit=0;}if ($numhits > $maxhits) {
$left = $nh; $right = int($numhits/$maxhits) -
$nh; ($left > 7) ? ($lower = $left -
7) : ($lower = 1); ($right > 7) ? ($upper = $nh
+ 7) : ($upper = int($numhits/$maxhits) + 1);
(7 - $nh >= 0) and ($upper = $upper + (8 - $nh));
($nh > ($numhits/$maxhits - 7)) and ($lower = $lower
- ($nh - int($numhits/$maxhits - 7) - 1));
$html = ""; ($nh > 1) and ($html .= qq~<a
href="$url&start=$prev_hit">[previous]</a> ~);
for ($i = 1; $i <= int($numhits/$maxhits) + 1; $i++) {
if ($i < $lower) { $html .= " ... "; $i =
($lower-1); next; } if ($i >
$upper) { $html .= " ... "; last; } ($i ==
$nh) ? ($html .= qq~$i ~) :
($html .= qq~<a href="$url&start=$i">$i</a> ~);
(($i * $maxhits) >= $numhits) and last;
}if ($next_hit) { $html .= qq~<a
href="$url&start=$next_hit">[next]</a> ~ unless ($nh
== $i); } }return $html;}

1;
@@ -224,4 +230,4 @@
print WRITEIT "$site\n";
close(WRITEIT);
}
-
\ No newline at end of file
+
---END


Apply the patch as below:

$ patch rxgoogle.cgi rxgoogle-xss.patch



 

Privacy Statement
Copyright 2010, SecurityFocus