Mephistoles Httpd 0.6.0final XSS

                           Donato Ferrante

Application: Mephistoles Httpd
              http://sourceforge.net/projects/mephistoles

Version: 0.6.0final

Bug: cross site scripting

Author: Donato Ferrante
              e-mail: fdonato_at_autistici.org
              web: www.autistici.org/fdonato

xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

1. Description
2. The bug
3. The code
4. The fix

xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

----------------
1. Description:
----------------

Vendor's Description:

"The Mephistoles Internet Suite includes at the present a HTTP server,
a FTP server, a DNS caching server, a (experimental and yet unsusable)
NetBIOS client and a client that can (currently) fetch pages via HTTP.
All programs written in Perl and small."

xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

------------
2. The bug:
------------

The program doesn't make a full check on the strings sent by the
client, in fact the input strings are not filtered and they will
appear in the returned page.

xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

-------------
3. The code:
-------------

To test the vulnerability simply use strings like:

http://[host]/<A_SCRIPT>

for example:

http://[host]/<script>alert("Test")</script>

xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

------------
4. The fix:
------------

The vendor was contacted and soon will be released a new version of
Mephistoles Httpd, so go on the Mephistoles' official web site:
http://sourceforge.net/projects/mephistoles
and check for a new version.

Or, if you want, you can use my following little patch, that should
fix the bug for the version 0.6.0final of Mephistoles Httpd:

--- mephistoles-httpd-0.6.0final-noarch.pl 2004-01-21 12:16:34.000000000
+0100
+++ patch.pl 2004-01-21 12:25:56.000000000 +0100
@@ -205,7 +205,7 @@
  my $ic;

  if (opendir(DIR,$trdr.$public)) { } else {
- serr(404,$page);
+ serr(404,"");
   return;
   }

@@ -389,13 +389,13 @@
  $page=conv($page); # convert $page from %XX-encoding to plain ASCII

  if (evilhacker($page)) { # illegal filename
- serr(403,$page);
+ serr(403,"");
   return;
  }

  if (($cgiholes==1) && (defined $getstr)) { # minimal protection for bad
cgi-scripts!
   if (evilhacker($getstr)) {
- serr(403,$page);
+ serr(403,"");
    return;
   }
  }
@@ -411,7 +411,7 @@
      $trdr="/root/public_html/";
      $trp=$2;
     } else {
- serr(403,$page);
+ serr(403,"");
     }
    } else {
     $page =~ /^\/\~(.+?)\/(.*?)$/g;
@@ -449,11 +449,11 @@
  if ($reqt==2) { # POST-requests
   $ENV{"REQUEST_METHOD"}="POST";
   if ($postreq==0) {
- serr(403,"$page");
+ serr(403,"");
   } else {
    if ($postreq==1) {
     if (iscgi($trp)) {
- serr(403,"$page");
+ serr(403,"");
      return;
     }
    }
@@ -495,7 +495,7 @@
   $ENV{"REQUEST_METHOD"}="GET";

   if (!(-e $trdr.$trp)) {
- serr(404,$page);
+ serr(404,"");
    return;
   }

@@ -550,7 +550,7 @@
   }
   close(SRC);
  } else {
- serr(404,$page);
+ serr(404,"");
  }

 }

xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Received on Jan 21 2004