Re: Cross-site scripting vulnerability in SARA v<=4.2.7

[bugtraq () saintcorporation com]

On Thu, 18 Dec 2003, toddr arc com wrote:

> 1.  CSS: Tom indicates that SATAN and older versions of SAINT are not
>     vulnerable to CSS.  Tom is incorrect as all used the SATAN engine
>     which did not tranlate "<" and ">" to their html codes "&lt;" and 
>     "&gt;  I suspect that SAINT has fixed it, SARA has, but SATAN has
>     not.

I disagree. Tom's original posting seems correct. Although
SARA, SAINT, and SATAN all use an http engine derived from
the same code, this specific vulnerability arises from
code introduced in SARA which was not part
of SATAN or SAINT (from sara_run_action.pl):

$debug="ON" if  ! $daemon;
$debug=""   if  $daemon;
select CLIENT;

This block of code enables debugging whenever a scan runs
in non-daemon (standalone) mode and redirects the
debugging output to the browser, which, prior to 5.0.0,
could include service banners containing script tags.

And, in any case, worthwhile security ideas should
not be discouraged. If every vulnerability posting
were considered a "complaint" by the respective
vendor, this list would become a very unfriendly
environment for sharing security concerns.

--
Sam Kline
Chief Development Engineer
SAINT Corporation