Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

[SUPERPETZ ADVISORY #002- Faq-O-Matic Cross-Site Scripting Vulnerability]

From: superpetz () hushmail com
Date: Mon, 4 Feb 2002 12:33:02 -0800

[SUPERPETZ ADVISORY #002- Faq-O-Matic Cross-Site Scripting Vulnerability]

 /\_/\        +  
 :_ _:       ++ 
 :>o<:_____+++
  \-/______++
     /\  /\

(collect them all! this one is a lynx!!)
 
TITLE: Faq-O-Matic Cross-Site Scripting Vulnerability 
-----

discovery date: February 1st, 2002
--------------

publication date: February 4th, 2002
----------------

impact: low-to-low-medium
------

local: no way!
-----

remote: yes!
------

introduction:
------------

This is a great little product for managing a bunch of FAQs. It allows people who visit the site to maintain the FAQ by 
adding new questions and answers and stuff like that. It has quite a pleasing colour scheme. Also the name of the 
product has some real pep, it reminds me of a vacuum cleaner. Vrooooooom! Though it is obvious by the motif of the 
Faq-O-Matic website that they are aiming for more of a food processor feel.

Check it out here:

http://faqomatic.sourceforge.net/fom-serve/cache/1.html

Faq-O-Matic is open-source. It appears to be quite popular. Additionally, a huge body of people have contributed to it.

Faq-O-Matic 2.712 was the version I tested. At the time of writing, this is the most recent stable version of the 
software. 

The vendor's personal page has a wonderful picture of a sassy-looking green cat:

http://www.cs.dartmouth.edu/~jonh/whome2/image=L500dejo.html

background:
----------

Faq-O-Matic has some cross-site scripting problems. 

Cross-Site Scripting, in short, is a type of problem that allows a malicious person to make a nice person run some 
JavaScript in their browser. The JavaScript is executed on the victim and is in the context of the super website 
running Faq-O-Matic Frequently Asked Question manager.

For more information on cross-site scripting, check it here:

http://www.cert.org/advisories/CA-2000-02.html

http://httpd.apache.org/info/css-security/

I just picked this program at random because I liked the peppy name. It turns out there was a very recent discussion on 
the Faq-O-Matic mailing list about the possibility of CSS bugs. So this is pretty timely.  


details:
-------

You can reproduce this condition with the following example:

http://faqomaticsite/cgi-bin/fom/fom.cgi?cmd=<script>alert("superpetz")</script>&file=1&keywords=superpetz

This causes an alert box which says "superpetz". Underneath the alert box is an error page which indicates that the 
user attempted an unknown command. The problem is that the "cmd=" parameter does not get rid of "<" or ">" type stuff.
 
With some tweaking you can steal some cookies from one of the Faq-O-Matic moderators or the admin. You just need to 
send the link with the script code for stealing the cookies in a HTML e-mail to your victim. Then voila!, you can make 
your own special FAQs about different types of vacuum cleaners. Of course, another thing that a malicious guy may do 
for fun is to create an alert message that says "Click here to visit our new fantabulous FAQ Warehouse", and then send 
the victim of the attack to a site like this:

http://www.wa4dsy.net/robot/Rally2000/jpeg500/vacomatic.jpeg
http://film.guardian.co.uk/gallery/image/0,8545,-10204337732,00.html
http://www.rcba.org/allvac/

Then the victim is like, oh no, now my favorite FAQ Warehouse is taken over by the vacuum emporium!

Of course, a really malicious guy will probably just make it connect to porno site or something like Aryan Nations site.

Ironically, when I was playing with this, I got an error message to the admin mailbox which contained the un-sanitized 
script code. 

workarounds/solutions:
---------------------

Let it be known that superpetz is not a super smart guy. I wrote the vendor and he gives some information for a fix. 
The first time I read his response I totally glossed over this information and then I sent him a reply that said 
something like: "OKAY JERKFACE!!!! WHEN ARE YA GONNA FIX THIS STUFFZ??". But then I realize that there is fix 
information in the vendor response, and so I lose much face because of this. He just says that the output can be 
"entified", which should be easy enough to accomplish for an open-source code monkey who likes to tinker with such 
stuff.

Of course, if you really wanna be on the safe side, you can just disable active scripting in your browser. This 
cross-site scripting stuff is quite prevalent in CGI programs.

You should probably be smart and use an e-mail client that allows you to not accept HTML e-mail, because that is one of 
the more popular attack vectors for this type of stuff!!!

vendor response:
---------------

The vendor guy confirmed this bug in Vac... err Faq-O-Matic. He says I have a nice tuque, but my tuque got stolen by 
some 

college students. The response was pretty quick and he only has nice stuff to say.

terms of vulnerability disclosure:
---------------------------------

This guy was pretty forthright and co-operative, even if he does uses terms I don't understand like "a gimmie". He just 
said 

something like "Yeah, this is an issue, easy to fix, thanks for pointing it out!". Seems like it is okay to go public 
with 

it.

copyright:
---------

This really ain't no rocket math. Just take what you want and copy and bastardize it to your heart's delight. 

contact:
-------

superpetz () hushmail com



Hush provide the worlds most secure, easy to use online applications - which solution is right for you?
HushMail Secure Email http://www.hushmail.com/
HushDrive Secure Online Storage http://www.hushmail.com/hushdrive/
Hush Business - security for your Business http://www.hush.com/
Hush Enterprise - Secure Solutions for your Enterprise http://www.hush.com/
Previous By Date Next
Previous By Thread Next

Current thread: