Home page logo

bugtraq logo Bugtraq mailing list archives

Xitami 2.5 Beta Errors.gsl Script Injection Vulnerabilities
From: "Matthew Murphy" <mattmurphy () kc rr com>
Date: Thu, 27 Jun 2002 01:43:01 -0500

[ SecurityFocus: BID #5025 describes this issue; may it be noted that older
are NOT vulnerable. ]

In Xitami 2.5 Beta, a GSL feature was implemented.  GSL is an XML-type
language.  Xitami demonstrates this with two sample scripts.  Errors.gsl is
used for error
processing in servers where it has been enabled.  (Disabled by default)

Errors.gsl poorly checks the hostname of the input request, only filtering
SCRIPT (case
insensitive filter) out of the host.  So, events can be fired to run code:


It also does not check the User-Agent field AT ALL:

[ telnet target.net 80 ]

GET / HTTP/1.0
User-Agent: <SCRIPT>alert(document.cookie);</SCRIPT>

[ End sent data ]

Xitami will return the script in the output.  If an attacking page can
control the
User-Agent (or any part of it), it can run code on a visiting browser in the
of the site running the Beta.

Vendor: iMatix has forwarded my original post to the discussion forum, and
update the script in future beta releases.


iMatix Home Page (iMatix)

Xitami Home Page (iMatix)

Other Issues:

Xitami Web Server Plaintext Administrator Password Storage (SecuriTeam [By
ace; shellcode () attbi com])
Defaults.aut Displays Un-encrypted Admin Password

Xitami Reserved Device DoS Vulnerability (SecuriTeam [By neme-dhc;
neme-dhc () hushmail com])
AUX Device Access Causes Server Hang

Xitami CGI Processing Failure Vulnerability (SecuriTeam)
CGI Script Processing Error Allows Code Disclosure

  By Date           By Thread  

Current thread:
  • Xitami 2.5 Beta Errors.gsl Script Injection Vulnerabilities Matthew Murphy (Jun 27)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]