Complete.Org: Mailing Lists: Archives: freeciv-dev: May 2002:
[Freeciv-Dev] Re: [Metaserver] scripting security hole (PR#1424) 		Home

[Freeciv-Dev] Re: [Metaserver] scripting security hole (PR#1424)

[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index] [Thread Index]
To: Paul Zastoupil <paul@xxxxxxxxxxxxx>
Cc: schnetter@xxxxxxx, freeciv-dev@xxxxxxxxxxx, bugs@xxxxxxxxxxxxxxxxxxx
Subject: [Freeciv-Dev] Re: [Metaserver] scripting security hole (PR#1424)
From: Daniel L Speyer <dspeyer@xxxxxxxxxxx>
Date: Wed, 1 May 2002 17:53:24 -0400 (EDT) 
On Wed, 1 May 2002, Paul Zastoupil wrote:

> This is causing the browser to make a request for the file, so you will
> only be able to force it to grab files it can already grab.
> 
> The metaserver shouldn't allow tags, but this isn't a security problem.
> 

Well, it can be a real annoyance potential.  I recently did
/metainf <script>window.open("http://slashdot.org","","";);</script>
and when I visited civserver's web interface, a slahdot window popped
up.  And if it can be done for slashdot.org, it can be done for goatse.cx
-- or many.popups.com

It shouldn't be too hard to do
$metainf =~ s/</\&lt\;/;
$metainf =~ s/>/\&gt\;/;
$metainf =~ s/\&/\&amp\;/;
right before throwing it on the web.

Now that the exploit is known, let's fix it quickly.

--Daniel Speyer
If you *don't* consider sharing information to be morally equivalent to 
kidnapping and murder on the high seas, you probably shouldn't use the
phrase "software piracy."

> On Wed, May 01, 2002 at 08:59:27AM -0700, schnetter@xxxxxxx wrote:
> > Full_Name: Stefan Schnetter
> > Version: 
> > Distribution: Don't know
> > Client: Both (or N/A)
> > OS: 
> > Submission from: (NULL) (217.82.56.232)
> > 
> > 
> > Today i have tried to execute a Javascript Mozilla >0.9.7 (closed in newest 
> > CVS
> > Version Bugzilla-ID 141061) and Netscape >6.1 exploit at the Metaserver 
> > page.
> > 
> > Exploit description:
> > http://sec.greymagic.com/adv/gm001-ns/
> > Heise.de (german):
> > http://www.heise.de/newsticker/data/ju-30.04.02-000/
> > 
> > I have modified and splitted (Metainfo is limited to 68 characters) the 
> > script
> > and tested it local (maybe this script work only local).
> > 
> > <script>var A=XMLHttpRequest();var B="/etc/passwd";</script>
> > <script>A.open("GET",B,false);A.send(null);</script>
> > <script>alert(A.responseText);</script>
> > 
> > On the Metaserver it will be executed on the server and not local! It 
> > returns a
> > 404 html page source code.
> > So you can display e.g. /robots.txt but not the local password file of your 
> > PC
> > (as i thougt) or the pasword file of the Server. ;)
> > 
> > I only want to tell you that it is DANGER if it is possible to execute own
> > scripts. Maybe it is possible to load external scripts or even more danger
> > things (crack the server with exploits).
> > 
> 
> -- 
> Paul Zastoupil
> 
>
[Prev in Thread] Current Thread [Next in Thread]