[Freeciv-Dev] Re: [Metaserver] scripting security hole (PR#1424)
[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index] [Thread Index]
Well considering the metaserver has been waiting to be rewritten for about
3 years now.... any volunteers?
On Wed, May 01, 2002 at 05:53:24PM -0400, Daniel L Speyer wrote:
> On Wed, 1 May 2002, Paul Zastoupil wrote:
>
> > This is causing the browser to make a request for the file, so you will
> > only be able to force it to grab files it can already grab.
> >
> > The metaserver shouldn't allow tags, but this isn't a security problem.
> >
>
> Well, it can be a real annoyance potential. I recently did
> /metainf <script>window.open("http://slashdot.org","","";);</script>
> and when I visited civserver's web interface, a slahdot window popped
> up. And if it can be done for slashdot.org, it can be done for goatse.cx
> -- or many.popups.com
>
> It shouldn't be too hard to do
> $metainf =~ s/</\<\;/;
> $metainf =~ s/>/\>\;/;
> $metainf =~ s/\&/\&\;/;
> right before throwing it on the web.
>
> Now that the exploit is known, let's fix it quickly.
>
> --Daniel Speyer
> If you *don't* consider sharing information to be morally equivalent to
> kidnapping and murder on the high seas, you probably shouldn't use the
> phrase "software piracy."
>
> > On Wed, May 01, 2002 at 08:59:27AM -0700, schnetter@xxxxxxx wrote:
> > > Full_Name: Stefan Schnetter
> > > Version:
> > > Distribution: Don't know
> > > Client: Both (or N/A)
> > > OS:
> > > Submission from: (NULL) (217.82.56.232)
> > >
> > >
> > > Today i have tried to execute a Javascript Mozilla >0.9.7 (closed in
> > > newest CVS
> > > Version Bugzilla-ID 141061) and Netscape >6.1 exploit at the Metaserver
> > > page.
> > >
> > > Exploit description:
> > > http://sec.greymagic.com/adv/gm001-ns/
> > > Heise.de (german):
> > > http://www.heise.de/newsticker/data/ju-30.04.02-000/
> > >
> > > I have modified and splitted (Metainfo is limited to 68 characters) the
> > > script
> > > and tested it local (maybe this script work only local).
> > >
> > > <script>var A=XMLHttpRequest();var B="/etc/passwd";</script>
> > > <script>A.open("GET",B,false);A.send(null);</script>
> > > <script>alert(A.responseText);</script>
> > >
> > > On the Metaserver it will be executed on the server and not local! It
> > > returns a
> > > 404 html page source code.
> > > So you can display e.g. /robots.txt but not the local password file of
> > > your PC
> > > (as i thougt) or the pasword file of the Server. ;)
> > >
> > > I only want to tell you that it is DANGER if it is possible to execute own
> > > scripts. Maybe it is possible to load external scripts or even more danger
> > > things (crack the server with exploits).
> > >
> >
> > --
> > Paul Zastoupil
> >
> >
>
--
Paul Zastoupil
|
|
