"The Mephistoles Internet Suite includes at the present a HTTP server,
a FTP server, a DNS caching server, a (experimental and yet unsusable)
NetBIOS client and a client that can (currently) fetch pages via HTTP.
All programs written in Perl and small."
The program doesn't make a full check on the strings sent by the
client, in fact the input strings are not filtered and they will
appear in the returned page.
The vendor was contacted and soon will be released a new version of
Mephistoles Httpd, so go on the Mephistoles' official web site:
http://sourceforge.net/projects/mephistoles
and check for a new version.
Or, if you want, you can use my following little patch, that should
fix the bug for the version 0.6.0final of Mephistoles Httpd:
Application: Mephistoles Httpd
http://sourceforge.net/projects/mephistoles
Version: 0.6.0final
Bug: cross site scripting
Author: Donato Ferrante
e-mail: fdonato (at) autistici (dot) org [email concealed]
web: www.autistici.org/fdonato
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
1. Description
2. The bug
3. The code
4. The fix
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
----------------
1. Description:
----------------
Vendor's Description:
"The Mephistoles Internet Suite includes at the present a HTTP server,
a FTP server, a DNS caching server, a (experimental and yet unsusable)
NetBIOS client and a client that can (currently) fetch pages via HTTP.
All programs written in Perl and small."
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
------------
2. The bug:
------------
The program doesn't make a full check on the strings sent by the
client, in fact the input strings are not filtered and they will
appear in the returned page.
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
-------------
3. The code:
-------------
To test the vulnerability simply use strings like:
http://[host]/<A_SCRIPT>
for example:
http://[host]/<script>alert("Test")</script>
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
------------
4. The fix:
------------
The vendor was contacted and soon will be released a new version of
Mephistoles Httpd, so go on the Mephistoles' official web site:
http://sourceforge.net/projects/mephistoles
and check for a new version.
Or, if you want, you can use my following little patch, that should
fix the bug for the version 0.6.0final of Mephistoles Httpd:
--- mephistoles-httpd-0.6.0final-noarch.pl 2004-01-21 12:16:34.000000000
+0100
+++ patch.pl 2004-01-21 12:25:56.000000000 +0100
@@ -205,7 +205,7 @@
my $ic;
if (opendir(DIR,$trdr.$public)) { } else {
- serr(404,$page);
+ serr(404,"");
return;
}
@@ -389,13 +389,13 @@
$page=conv($page); # convert $page from %XX-encoding to plain ASCII
if (evilhacker($page)) { # illegal filename
- serr(403,$page);
+ serr(403,"");
return;
}
if (($cgiholes==1) && (defined $getstr)) { # minimal protection for bad
cgi-scripts!
if (evilhacker($getstr)) {
- serr(403,$page);
+ serr(403,"");
return;
}
}
@@ -411,7 +411,7 @@
$trdr="/root/public_html/";
$trp=$2;
} else {
- serr(403,$page);
+ serr(403,"");
}
} else {
$page =~ /^\/\~(.+?)\/(.*?)$/g;
@@ -449,11 +449,11 @@
if ($reqt==2) { # POST-requests
$ENV{"REQUEST_METHOD"}="POST";
if ($postreq==0) {
- serr(403,"$page");
+ serr(403,"");
} else {
if ($postreq==1) {
if (iscgi($trp)) {
- serr(403,"$page");
+ serr(403,"");
return;
}
}
@@ -495,7 +495,7 @@
$ENV{"REQUEST_METHOD"}="GET";
if (!(-e $trdr.$trp)) {
- serr(404,$page);
+ serr(404,"");
return;
}
@@ -550,7 +550,7 @@
}
close(SRC);
} else {
- serr(404,$page);
+ serr(404,"");
}
}
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
[ reply ]