From superpetz@hushmail.com Mon Feb 4 23:59:22 2002 From: superpetz@hushmail.com To: bugtraq@securityfocus.com Cc: Jon Howell Date: Mon, 4 Feb 2002 12:33:02 -0800 Subject: [SUPERPETZ ADVISORY #002- Faq-O-Matic Cross-Site Scripting Vulnerability] [SUPERPETZ ADVISORY #002- Faq-O-Matic Cross-Site Scripting Vulnerability] /\_/\ + :_ _: ++ :>o<:_____+++ \-/______++ /\ /\ (collect them all! this one is a lynx!!) TITLE: Faq-O-Matic Cross-Site Scripting Vulnerability ----- discovery date: February 1st, 2002 -------------- publication date: February 4th, 2002 ---------------- impact: low-to-low-medium ------ local: no way! ----- remote: yes! ------ introduction: ------------ This is a great little product for managing a bunch of FAQs. It allows people who visit the site to maintain the FAQ by adding new questions and answers and stuff like that. It has quite a pleasing colour scheme. Also the name of the product has some real pep, it reminds me of a vacuum cleaner. Vrooooooom! Though it is obvious by the motif of the Faq-O-Matic website that they are aiming for more of a food processor feel. Check it out here: http://faqomatic.sourceforge.net/fom-serve/cache/1.html Faq-O-Matic is open-source. It appears to be quite popular. Additionally, a huge body of people have contributed to it. Faq-O-Matic 2.712 was the version I tested. At the time of writing, this is the most recent stable version of the software. The vendor's personal page has a wonderful picture of a sassy-looking green cat: http://www.cs.dartmouth.edu/~jonh/whome2/image=L500dejo.html background: ---------- Faq-O-Matic has some cross-site scripting problems. Cross-Site Scripting, in short, is a type of problem that allows a malicious person to make a nice person run some JavaScript in their browser. The JavaScript is executed on the victim and is in the context of the super website running Faq-O-Matic Frequently Asked Question manager. For more information on cross-site scripting, check it here: http://www.cert.org/advisories/CA-2000-02.html http://httpd.apache.org/info/css-security/ I just picked this program at random because I liked the peppy name. It turns out there was a very recent discussion on the Faq-O-Matic mailing list about the possibility of CSS bugs. So this is pretty timely. details: ------- You can reproduce this condition with the following example: http://faqomaticsite/cgi-bin/fom/fom.cgi?cmd=&file=1&keywords=superpetz This causes an alert box which says "superpetz". Underneath the alert box is an error page which indicates that the user attempted an unknown command. The problem is that the "cmd=" parameter does not get rid of "<" or ">" type stuff. With some tweaking you can steal some cookies from one of the Faq-O-Matic moderators or the admin. You just need to send the link with the script code for stealing the cookies in a HTML e-mail to your victim. Then voila!, you can make your own special FAQs about different types of vacuum cleaners. Of course, another thing that a malicious guy may do for fun is to create an alert message that says "Click here to visit our new fantabulous FAQ Warehouse", and then send the victim of the attack to a site like this: http://www.wa4dsy.net/robot/Rally2000/jpeg500/vacomatic.jpeg http://film.guardian.co.uk/gallery/image/0,8545,-10204337732,00.html http://www.rcba.org/allvac/ Then the victim is like, oh no, now my favorite FAQ Warehouse is taken over by the vacuum emporium! Of course, a really malicious guy will probably just make it connect to porno site or something like Aryan Nations site. Ironically, when I was playing with this, I got an error message to the admin mailbox which contained the un-sanitized script code. workarounds/solutions: --------------------- Let it be known that superpetz is not a super smart guy. I wrote the vendor and he gives some information for a fix. The first time I read his response I totally glossed over this information and then I sent him a reply that said something like: "OKAY JERKFACE!!!! WHEN ARE YA GONNA FIX THIS STUFFZ??". But then I realize that there is fix information in the vendor response, and so I lose much face because of this. He just says that the output can be "entified", which should be easy enough to accomplish for an open-source code monkey who likes to tinker with such stuff. Of course, if you really wanna be on the safe side, you can just disable active scripting in your browser. This cross-site scripting stuff is quite prevalent in CGI programs. You should probably be smart and use an e-mail client that allows you to not accept HTML e-mail, because that is one of the more popular attack vectors for this type of stuff!!! vendor response: --------------- The vendor guy confirmed this bug in Vac... err Faq-O-Matic. He says I have a nice tuque, but my tuque got stolen by some college students. The response was pretty quick and he only has nice stuff to say. terms of vulnerability disclosure: --------------------------------- This guy was pretty forthright and co-operative, even if he does uses terms I don't understand like "a gimmie". He just said something like "Yeah, this is an issue, easy to fix, thanks for pointing it out!". Seems like it is okay to go public with it. copyright: --------- This really ain't no rocket math. Just take what you want and copy and bastardize it to your heart's delight. contact: ------- superpetz@hushmail.com Hush provide the worlds most secure, easy to use online applications - which solution is right for you? HushMail Secure Email http://www.hushmail.com/ HushDrive Secure Online Storage http://www.hushmail.com/hushdrive/ Hush Business - security for your Business http://www.hush.com/ Hush Enterprise - Secure Solutions for your Enterprise http://www.hush.com/