Bugtraq: Re: WebScarab <= 20060621-0003 cross site scripting

[Rogan Dawes <discard () dawes za net>]

security () moritz-naumann com wrote (a LONG time ago):
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
>
>
> SA0012
>
> +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
> +++++          WebScarab Cross Site Scripting           +++++
> +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
>
>
> PUBLISHED ON
>   Jul 18, 2006
>
>
> PUBLISHED AT
>   http://moritz-naumann.com/adv/0012/webscarabxss/0012.txt
>   http://moritz-naumann.com/adv/0012/webscarabxss/0012.txt.gpg
>
>
> PUBLISHED BY
>   Moritz Naumann IT Consulting & Services
>   Hamburg, Germany
>   http://moritz-naumann.com/
>
>   SECURITY at MORITZ hyphon NAUMANN d0t COM
>   GPG key: http://moritz-naumann.com/keys/0x277F060C.asc
>
>
> AFFECTED APPLICATION OR SERVICE
>   WebScarab
>   http://www.owasp.org/index.php/OWASP_WebScarab_Project
>   http://sourceforge.net/projects/owasp/
>
>   WebScarab is a Free Software for manual and semi-automatic
>   web application penetration testing. It is developed in
>   Java by Rogan Dawes as part of the Open Web Application
>   Security Project (OWASP).
>
>
> AFFECTED VERSIONS
>   Version 20060621-0003 and below
>
>
> ISSUES
>   WebScarab is subject to a client side script code injection
>   vulnerability which may allows for running cross site
>   scripting attacks against web clients connecting through it.
>
>   +++++ 1. Cross Site Scripting vulnerability in error
>            messages
>
>   By accessing the following URI using a web browser which is
>   prone to this issue and configured to proxy through a
>   vulnerable version of WebScarab, a non-persitent web script
>   injection can be achieved:
>
>   http://arbitrary.domain/</pre><script>alert(0);</script>
>
>   This allows for disclosure of sensitive data stored in the
>   security context of any arbitrary domain which the web browser
>   has previously accessed but WebScarab is not able to access
>   by the time the attack takes place (due to invalid upstream
>   proxy setting on WebScarab, different results of DNS queries,
>   limited connectivity or other reasons).
>
>   Ms Internet Explorer 6 SP2 and Konqueror 3.5.3 are known to
>   be prone to this issue. This problem is caused by insufficient
>   santitation of user supplied input before it is returned to
>   the client as part of an error message.
>
>
> BACKGROUND
>   Cross Site Scripting (XSS):
>   Cross Site Scripting, also known as XSS or CSS, describes
>   the injection of malicious content into output produced
>   by a web application. A common attack vector is the
>   inclusion of arbitrary client side script code into the
>   applications' output. Failure to completely sanitize user
>   input from malicious content can cause a web application
>   to be vulnerable to Cross Site Scripting.
>
>   http://en.wikipedia.org/wiki/XSS
>   http://www.cgisecurity.net/articles/xss-faq.shtml
>
>
> WORKAROUNDS
>   Client: Disable Javascript.
>   Server: None known.
>
>
> SOLUTIONS
>   Rogan Dawes has released version 20060718-1904 today.
>   This version fixes this issue. The updated packages is
>   available at
>
> http://sourceforge.net/project/showfiles.php?group_id=64424&package_id=61823
>
>
> TIMELINE
>   Jul 18, 2006: Discovery, code maintainer notification
>   Jul 18, 2006: Code maintainer provides fix
>   Jul 18, 2006: Public advisory
>
>
> REFERENCES
>   N/A
>
>
> ADDITIONAL CREDIT
>   N/A
>
>
> LICENSE
>   Creative Commons Attribution-ShareAlike License Germany
>   http://creativecommons.org/licenses/by-sa/2.0/de/
Due to a complete lack of actual testing, the abovementioned "fix" for 
this problem didn't actually do anything. Thanks to Nathaniel Roberts 
for pointing this out, even almost a year later.
A new release of WebScarab has been published that does actually fix 
this. It can be obtained from 
<https://sourceforge.net/project/showfiles.php?group_id=64424&package_id=61823>
The full changelog since the previous version is available at 
<https://sourceforge.net/project/shownotes.php?release_id=506001&group_id=64424>
Regards,

Rogan Dawes