I believe I've found a low level security hole relating to the way IPCalc's
CGI wrapper sanitises input, which allows Javascript injection.
Hole is considered low since IPCalc's CGI wrapper has no privileged
functionality, however of course it might be possible to use it as a vector
to attack other applications hosted on the same web server.
I contacted the author (Krischan Jodies - <http://www.jodies.de/>) on the 7th,
offering them 14 days to respond but have had no reply to acknowledge that
the problem even exists, I've decided to publish this warning.
Tim
--
Tim Brown, Nth Dimension
<mailto:timb (at) nth-dimension.org (dot) uk [email concealed]>
<http://www.nth-dimension.org.uk/>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hash: SHA1
Nth Dimension Security Advisory (NDSA20060705)
Date: 5th July 2006
Author: Tim Brown <mailto:timb (at) nth-dimension.org (dot) uk [email concealed]>
URL: <http://www.nth-dimension.org.uk/> / <http://www.machine.org.uk/>
Product: IPCalc 0.40 <http://www.jodies.de/ipcalc-archive/>
Vendor: Krischan Jodies <http://www.jodies.de/>
Risk: Low
Summary
The IPCalc CGI wrapper is vulnerable to Javascript injection within the
request URL.
Technical Details
The value of the URL requested is used in within the web pages returned by the
IPCalc CGI wrapper script, in its unsantised form:
Potential intruders could use this to execute malicious code on visitors
computers.
Solutions
In order to completely protect against the vulnerability (in the short
term), Nth Dimension recommend disabling the IPCalc CGI wrapper.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (GNU/Linux)
I believe I've found a low level security hole relating to the way IPCalc's
CGI wrapper sanitises input, which allows Javascript injection.
Hole is considered low since IPCalc's CGI wrapper has no privileged
functionality, however of course it might be possible to use it as a vector
to attack other applications hosted on the same web server.
I contacted the author (Krischan Jodies - <http://www.jodies.de/>) on the 7th,
offering them 14 days to respond but have had no reply to acknowledge that
the problem even exists, I've decided to publish this warning.
Tim
--
Tim Brown, Nth Dimension
<mailto:timb (at) nth-dimension.org (dot) uk [email concealed]>
<http://www.nth-dimension.org.uk/>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hash: SHA1
Nth Dimension Security Advisory (NDSA20060705)
Date: 5th July 2006
Author: Tim Brown <mailto:timb (at) nth-dimension.org (dot) uk [email concealed]>
URL: <http://www.nth-dimension.org.uk/> / <http://www.machine.org.uk/>
Product: IPCalc 0.40 <http://www.jodies.de/ipcalc-archive/>
Vendor: Krischan Jodies <http://www.jodies.de/>
Risk: Low
Summary
The IPCalc CGI wrapper is vulnerable to Javascript injection within the
request URL.
Technical Details
The value of the URL requested is used in within the web pages returned by the
IPCalc CGI wrapper script, in its unsantised form:
$ grep -n actionurl ipcalc
45:$actionurl = $ENV{'REQUEST_URI'};
46:$actionurl =~ s/&/&/g;
284:<form action="$actionurl" method="get" name="form" id="form">
Potential intruders could use this to execute malicious code on visitors
computers.
Solutions
In order to completely protect against the vulnerability (in the short
term), Nth Dimension recommend disabling the IPCalc CGI wrapper.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (GNU/Linux)
iD8DBQFErfNvVAlO5exu9x8RAn0dAJ9LCbPdyMCpdujlZzXwm7rJOqIxiACgwDLE
3WXYaqKSKZl+kv8Gh6XEoQE=
=audk
-----END PGP SIGNATURE-----
[ reply ]