![[LWN Logo]](/images/lcorner.png) |
|
![[LWN.net]](/images/Included.png) |
From: MASA <masa@magnux.com>
To: BUGTRAQ Mailing List <bugtraq@securityfocus.com>
Subject: Cross-site Scripting Flaw in webalizer
Date: Wed, 24 Oct 2001 11:18:14 -0200 (BRST)
MASA:01-01:en - Cross-site Scripting Flaw in webalizer
Overview
The webalizer is a popular web server log file analysis tool which
produces reports in HTML format. Some webalizer versions contains two
flaws that may allow a malicious user to insert unquoted data into the
generated reports. This may be used to run scripts in the security
context of the viewed site, as explained in the [1]CA-2000-02
Malicious HTML Tags Embedded in Client Web Requests CERT/CC advisory
(aka "cross-site scripting bug"). Under certain conditions, these
flaws may allow a malicious user to run commands remotely on the web
server where the reports are stored.
Detailed Description
The list below summarizes the flaws that may be exploited by a
malicious user to inject HTML tags into webalizer reports. Once
injected, the malicious data will be processed as soon as a victim
user visit the compromised report.
Tags in host names
The webalizer program blindly trust the data returned by the
operating system resolver library, when doing reverse address
resolution. A malicious user who has control over a DNS reverse
address mapping zone can setup an address with PTR record
pointing to a name containing HTML tags, and then access the
web server where webalizer is run periodically. When the
webalizer program is run on the log files, the address recorded
on them will resolve to a name containing the HTML tags, which
will be inserted unmodified into the generated HTML reports.
Notice that the number of systems made vulnerable by this flaw
may be small, as most modern resolver libraries refuse to
return host names containing HTML meta-characters.
Tags in search keywords
The webalizer program has the ability of parsing the contents
of HTTP referrer information stored in log files. The data
collected is them compared to a list of search engine URLs, so
that the program can present the words used to reach the
analyzed site. Unfortunately, extracted keywords are stored
unmodified in the generated HTML files -- this allow a
malicious user to introduce tags directly into the reports, by
connecting to the web server and sending a "Referer" HTTP
header containing HTML meta-characters.
These vulnerabilities may be exploited by a malicious user to run
scripts on the user agent (e.g. web browser) accessing the compromised
HTML reports, as described by the CERT/CC advisory mentioned above.
However, these vulnerabilities are much more dangerous because the
unvalidated user input is not output dynamically, but written to files
on the web server file system instead. If these files are going to be
interpreted by some scripting engine (such as Apache SSI, PHP, etc.),
a malicious user can inject special tags that may trigger the script
interpreter. This may allow the malicious user to run commands
remotely on the web server.
Impact
* Malicious users may run client-side scripts on the web user agent
accessing a webalizer report, under the security context of the
viewed site.
* Malicious users may run commands remotely on the server where the
webalizer reports are stored, if they are going to be parsed by
scripting engines.
Who is Affected
These flaws was confirmed in webalizer 2.01-06. Older versions were
not tested.
To be vulnerable to the "tags in host names" flaw, the following
conditions must be met:
* DNS name resolution is enabled in webalizer (e.g. the option
--enable-dns was used when calling configure).
* The operating system resolver library does not filter out HTML
meta-characters in returned host names.
To be vulnerable to the "tags in search keywords" flaw, the following
conditions must be met:
* HTTP referrer information is being output to log files to be
analyzed by webalizer.
* The webalizer program is configured to parse HTTP referrer
information looking for search engine URLs. Unfortunately, this is
enabled by default on the sample configuration file installed with
the program, and the program will silently enable it, if no
configuration file is being used.
Solution/workarounds
The author of webalizer were contacted and provided a fix for these
issues. A patch is available at
[2]ftp://ftp.mrunix.net/pub/webalizer/sec-fix.patch.
Acknowledgments
Thanks to Bradford L. Barrett <[3]brad@mrunix.net> (the author of
webalizer) for promptly replying and providing a fix.
Additional Information
MASA:01-01:en Copyright © 2001 by Magnux Software, Rio de
Janeiro/Brazil. All rights reserved. This document may be copied and
distributed freely in electronic form, provided that you keep it
unchanged. Parts of it may be used unchanged and in electronic form
only without the need of explicitly author authorization, provided
that proper credits are given in the form "MASA:01-01:en from Magnux
Software (http://www.magnux.com/)". To copy or reprint the whole or
any part of this document in any other non-electronic medium, contact
<[4]masa@magnux.com>.
The information in this document may change without notice. The
information contained in this document is provided for EDUCATIONAL
PURPOSE ONLY and without ANY WARRANTY. In no event shall the author be
liable for any damages whatsoever arising out of or in connection with
the use or spread of this information. Any use of this information is
at the user's own risk.
This advisory and further updates, plus other advisories issued by
Magnux Software, can be found on the [5]MASA Advisories Page on the
[6]Magnux Software INTL web site. Questions about Magnux Software may
be sent to <[7]admin@magnux.com>. GPG keys are available at
[8]http://www.magnux.com/gpg-keys.txt.
References
1. http://www.cert.org/advisories/CA-2000-02.html
2. ftp://ftp.mrunix.net/pub/webalizer/sec-fix.patch
3. mailto:brad@mrunix.net
4. mailto:masa@magnux.com
5. http://intl.magnux.com/masa/
6. http://intl.magnux.com/
7. mailto:admin@magnux.com
8. http://www.magnux.com/gpg-keys.txt