Westpoint Security Advisory Title: VisitorBook LE Mail Relay and Cross Site Scripting Risk Rating: Moderate Software: FreeScripts VisitorBook LE Platforms: Most Unix Vendor URL: http://www.freescripts.com/ Author: Paul Johnston Date: 10th December 2003 Advisory ID#: wp-03-0001 CVE: CAN-2003-0979, CAN-2003-0980, CAN-2003-0981 Overview ======== VisitorBook is a "customizable, database-driven guestbook software ... used all over the net", which fails to escape various control characters in user input. This results in: * Mail relaying * Data loss * Cross site scripting The Common Vulnerabilities and Exposures (CVE) project has assigned the names CAN-2003-0979, CAN-2003-0980 and CAN-2003-0981 to these issues. These are candidates for inclusion in the CVE list (http://cve.mitre.org), which standardizes names for security problems. Details ======= Open mail relay [CAN-2003-0979] ------------------------------- If $mailuser is set to 1 (not the default) then the script can be used as a mail relay. This arises because line breaks are not escaped in the email field, so you can relay mail by setting the email address to something like: victim@example.com From: spammer@example.com Subject: $$$ hardcore XXX ... Guestbook database deleting / DoS --------------------------------- Another consequence of the script failing to escape line breaks is that anyone can remotely delete the log - they just need to submit an entry with more line breaks that the value of $max_posts. Because this is caused by the same coding error as the previous vulnerability, it does not have its own identifier. If you do this with Windows line breaks, then the database file is so corrupted afterwards that the script always gives "500 Internal Server Error". The script also fails to escape pipe "|" characters, which it uses as a field deliminator, although it's unlikely this can be exploited. Cross site scripting [CAN-2003-0980] ------------------------------------ The "do" parameter is not escaped at all, which you can exploit like: http://fester/cgi-bin/visitorbook.pl?do= The user parameter is also not escaped. To exploit this you need to use a rogue DNS server to poison the script with a malicious reverse DNS response. More about this below. Note: this would be difficult to exploit in practice and was not actually exploited in my tests. Quote marks are not escaped in any parameters. You can exploit this by signing an entry with a web link like this: http://" onmouseover="alert('hello')" crap=" Also, ampersands (&) are not escaped in any parameters, although it's unlikely this can be exploited. Trust of reverse dns [CAN-2003-0981] ------------------------------------ The script uses the logic that it logs the user's reverse DNS name if available, or IP address otherwise. The problem with this is that the reverse DNS is untrusted data - someone can easily change their identity by setting their reverse DNS to, say, "www.whitehouse.gov". This also leads to the cross- site scripting attack mentioned above. Workarounds =========== Mail relay Disable user mails, by setting $mailuser to 0 Data deleting Modify code to escape line break characters on all parameters Cross site scripting Modify code to escape <>&" characters on all parameters Trusting reverse DNS In Apache config set HostNameLookups to Off History ======= 4 Nov 2003 Mailed all the email addresses in the source code, whois contacts for domain. No response. 5 Nov 2003 Raised a support ticket. The vendor indicated that the free version of the code had not been maintained for some time, but that sharing security related findings would be much appreciated. 10 Nov 2003 First detailed notification of vulnerabilities. No response. 21 Nov 2003 Passed draft advisory to vendor; indicated intention to publish on 10 Dec. No response. 9 Dec 2003 Reminded vendor of impending publication. No response. 11 Dec 2003 Advisory updated to include CVE identifiers. This advisory is available online at: http://www.westpoint.ltd.uk/advisories/wp-03-0001.txt