-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
SA0006
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
+++++ VHCS 2.x HTTP Error Cross Site Scripting +++++
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
PUBLISHED ON
Nov 22, 2005
PUBLISHED AT
http://moritz-naumann.com/adv/0006/vhcsxss/0006.txt
http://moritz-naumann.com/adv/0006/vhcsxss/0006.txt.sig
PUBLISHED BY
Moritz Naumann IT Consulting & Services
Hamburg, Germany
http://moritz-naumann.com/
SECURITY at MORITZ hyphon NAUMANN d0t COM
GPG key: http://moritz-naumann.com/keys/0x277F060C.asc
AFFECTED APPLICATION OR SERVICE
VHCS
http://www.vhcs.net/
VHCS, the Virtual Hosting Control System, is a virtual
hosting management application.
AFFECTED VERSIONS
Version 2.2.0 up to and including 2.4.6.2
BACKGROUND
Cross Site Scripting, also known as XSS or CSS, describes
the injection of malicious content into output produced
by a web application. A common attack vector is the
inclusion of arbitrary client side script code into the
applications' output. Failure to completely sanitize user
input from malicious content causes a web application
to be vulnerable to Cross Site Scripting.
http://en.wikipedia.org/wiki/XSS
http://www.cgisecurity.net/articles/xss-faq.shtml
ISSUE
VHCS is subject to a XSS vulnerability on its HTTP error
messages. This issue is caused by lack of input sanitation
in vhcs/gui/errordocs/index.php which returns unfiltered
web server environment variables.
Successful exploitation may allow for impersonification
through session stealing attacks.
The following URL demonstrates this issue:
[vhcs_basedir]/dev/inputvalidation%3Cscript%3Ealert(window.location.hash
)%3B%3C/script%3E#XSS
WORKAROUND
Client: Disable Javascript.
Server: Prevent access to vulnerable file(s).
SOLUTIONS
Moritz Naumann IT Consulting & Services has crafted a
unified diff patch against VHCS 2.4.6.2 which is available at
http://moritz-naumann.com/adv/0006/vhcsxss/patch/index.php.diff
VHCS developers may provide a fix in the 2.6 release. A release
date is not currently set.
TIMELINE
Oct 06, 2005 Discovery
Oct 06, 2005 Code maintainer notified
Oct 06, 2005 Code maintainer replies
Nov 22, 2005 Public disclosure
REFERENCES
N/A
ADDITIONAL CREDIT
N/A
LICENSE
Creative Commons Attribution-ShareAlike License Germany
http://creativecommons.org/licenses/by-sa/2.0/de/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)
iD8DBQFDg4l+n6GkvSd/BgwRAnhcAKCEfl0VO/XNXvL9ltSkJzWMBnsGxwCdE269
2TBoq12ltOuH467cZqOUy1k=
=IIUA
-----END PGP SIGNATURE-----