Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!

TUCoPS :: Web :: Apps :: web5025.htm

w3perl succeptible to cookie theft, faked logs and more
24th Jan 2002 [SBWID-5025]

	w3perl succeptible to cookie theft, faked logs and more


	w3perl 2.85


	Zenomorph    wrote    a    white    paper    about     the     following


	I. Introduction

	When people visit your website, certain information is passed  from  the
	users web browser to your web server/script. This  information  contains
	data such as what browser they are using, the  last  site  visited,  the
	file they requested, and other information. This paper  was  written  to
	help you understand how an attacker can use these information fields  to
	exploit your web statistics software.


	II. Type of Threats

	Public Statistic Threats:

	If you have hit reports on your site,  and  they  are  viewable  by  the
	public, then there are a few risks you must be aware of.

	* SSI Tag Insertion

	        - Command Execution

	        - Page Includes



	* HTML Insertion

	        - Links to unwanted sites (Spammed references)

	        - Possible Alteration of statistical page

	        - JavaScript Insertion

	        - Possible falsification of logs 

	        - Popup Windows (Tricked Advertising)


	* Other(Maybe)

	        - Java

	        - Active X

	        - Python

	        - TCL

	        - VBscript

	        - Other Markup Language Insertion

	        - PHP

	        - ASP

	        - SQL/Database injection


	Private Statistics Threats:

	Same as above, except if cookie theft is possible,  it  could  allow  an
	attacker access to administrative tools.


	III. Examples

	The threats of modified http headers vary  depending  on  what  language
	the software is written in, what file format  the  output  is  displayed
	in, and the server permissions.

	  A. SSI


	For example, if I have a script that  prints  the  output  in  a  .shtml
	file, then it *may* be possible to insert file includes,  and  depending
	on server configuration, execution of commands.

	Below is an example of such an attack.

	su-2.05# telnet localhost 80


	Connected to localhost.

	Escape character is \'^]\'.

	GET / HTTP/1.0

	Referer: <!--#virtual include=\"somefile.log\"-->

	User-Agent: <!--#exec cmd=\"/bin/id\"-->


	HTTP/1.1 200 OK

	Date: Mon, 17 Dec 2001 20:39:02 GMT


	Connection: close

	Content-Type: text/html


	In this example the attacker is inserting SSI  tags  into  the  Referrer
	and User-Agent fields. Depending on whether the  software  outputs  this
	information as text or in image form, this could lead to  possible  file
	includes, or command execution.  (Of  course  these  examples  could  be
	interchangeable). If the logs are shown  as  text  and  displayed  in  a
	shtml file, and the referrer, or user agent fields are  shown  (most  of
	the time they are), then these two requests  will  be  included  in  the
	file. The next time a visitor views these logs, the  SSI  tags  will  be
	executed by the web server,  and  should  display  the  results  of  the
	\"id\" command, as well  as  the  contents  of  \"somefile.log\".  (Once
	again depending on server configuration).

	  B. Html


	Inserting html is less of a threat  than  SSI,  but  it  still  has  its
	concerns. If a attacker can insert html, then there  is  a  good  chance
	JavaScript can also be inserted.

	  - Fake Logs


	Sometimes an attacker will flood your logs with false  entries  to  hide
	his  presence.  Another  possibility  of   html   insertion   would   be
	falsification of logs. If the  attacker  manages  to  insert  tags  like
	</html> into the request, it could hide his presence to a  visitor\'s
	web browser. Since his tag would be inserted in the middle or  beginning
	of the document, if the attacker puts  this  tag  everything  afterwards
	will be invisible to a normal user. (Unless you select View Source).

	  - Stolen Cookies


	With JavaScript insertion allowed it may be possible for an attacker  to
	steal cookies from a  visiting  user.  This  of  course  could  lead  to
	possible  session  hijacking,  and  depending  on  the  site,  user  and
	password information to be leaked.

	su-2.05# telnet localhost 80


	Connected to localhost.

	Escape character is \'^]\'.

	GET / HTTP/1.0

	Referer: <javascript-that-is-evil-so-there\'s-no-need-for-examples>

	User-Agent: </html>



	If a user visits this stats page and the referrer is outputted  then  it
	may be possible to steal users cookies.

	   C. Other


	ASP, JSP, python, and  other  languages  are  all  possible  using  this
	attack method. Once again this depends on a  few  contributing  factors.
	This  method  isn\'t  as  \'one  dimensional\'  as  other  exploitation.
	Database command, and content injection also may be possible.

	   D. Additional


	Some software may only show the top 20, 50, or 100  Referrers  and  user
	agents. This means that just because an  attacker  has  sent  a  request
	with malicious headers, that it may not execute. Of  course  since  most
	statistical software shows the amount of hits per  field,  the  attacker
	could send a flood of  requests  to  get  his/her  evil  headers  to  be
	displayed. While this isn\'t a very efficient attack, it still  has  its
	purposes. I\'ve managed to get this attack type working in  3  different


	Upgrade to 2.86



	In more general terms :

	1.(BEST WAY) Stripping out metacharacters like <>\":;\'}{][|\\)(*&^%$#!`


	This can help prevent html, JavaScript,  php,  sql  injection,  and  SSI

	2. Replacing < and > with > <


	By replacing <  and  >  with  <  and  >  this  helps  prevent  tag
	execution. One obvious problem would be scripts with potential  backtick
	\"`\" problems.


	V. Conclusion


	This paper was written to show awareness of this particular threat. 

	I\'m sure this paper doesn\'t cover *every* use for this attack, but I hope 

	it helps web developers create safer web applications. 


	Published to the Public January 2002

	Copyright 2002


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2015 AOH