[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[GPLHost SECURITY ADVISORY #1] DTC 404 error page Cross-Site Scripting / Pishing vulnerability if using IE



Vulnerability: XSS / Pishing
Problem-Type: remote
Version affected: < 0.25.8
Advisory number: #1, 2007/06/11

Dear users,

This is the first GPLHost security advisory of all time for our
packages. A problem has been reported by Med venlig hilsen from Secunia
Research <http://secunia.com/>.

A remote attacker, with a specially crafted URI, could use the 404 error
page to execute unwanted javascript, and/or pishing. Here is the full
explanation.

Line 31 of /var/lib/dtc/etc/dtc404/404.php, the URI that is wrong, is
presented to the user in the HTML page. If the user is using internet
explorer, then some javascript embedded in the URL can be executed.
Under Firefox, the URI is encoded correctly, and the html code cannot
appear in the page, so Firefox is not affected. Most (if not all)
developers of DTC are using Firefox under Linux, so we were not aware of
this possibility.

As the URI is limited in size, the implications are low for a pishing
attack (the "fake" site would have to be embedded in a frame otherwise
there is not enough space in the URL to present a working fake site).
Also, for XSS attack, it would be hard as internet explorer still encode
the character ' and ", making it quite hard to execute some code that
would hurt the targeted computer.

Since dtc has moved all of it's generated files to /var/lib/dtc/etc, the
404 error page has moved there, and so only ONE version of this page,
embedded in the control panel package, can have been moved there. The
installer currently check if it's that version with md5sum, and copy
over the packaged version. If you didn't customize your 404.php file, or
if you are using a version prior to 0.25.5 (before the panel moved files
to /var/lib/dtc/etc instead of /usr/share/dtc/etc), then you can safely
upgrade to our current debian repository version 0.25.8-1 located in one
of our mirrors:

Florida, USA (global): deb ftp://ftp.gplhost.com/debian etch main
Paris, France (europe): deb ftp://ftp.gplhost.fr/debian etch main
Singapore (Asia): deb ftp://ftp.gplhost.com/debian etch main

or using our CVS:

cvs -d :pserver:anonymous@xxxxxxxxxxx:/var/lib/cvs co dtc

then build the package using dpkg-buildpackage

But if you modified the default 404.php page, the installer will NOT
PATCH your customized 404.php (so you don't loose your modifications).
Then you should add the following code:

Replace:
<?php echo "URL:
http://".$_SERVER["SERVER_NAME"].$_SERVER["REQUEST_URI";]; ?>

by:
<?php echo "URL:
http://".$_SERVER["SERVER_NAME"].htmlspecialchars($_SERVER["REQUEST_URI"]);
?>

originally located line 31 if the 404.php document.

If you don't want to upgrade, patching the file manually like this is
also safe.

Security is as a serious concern, and as we do not believe that the
"security by obscurantism" is a working model, we will continue in the
future to release security advisory like this one to our mailing lists.
If you are not subscribed, please send a mail to our moderated low
traffic announce mailing list:

dtcannounce-subscribe@xxxxxxxxxx

Thanks to the people of Secunia Research for the report.

For the behalf of the dtc dev team and GPLHost,

Thomas Goirand

P.S: Note that this release has also many other improvements not related
--
Do not reply to this mail, subscribe to dtcdev@xxxxxxxxxx instead
To unsubscribe send a mail to dtcannounce-unsubscribe@xxxxxxxxxx