Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Bugtraq
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Multiple vulnerabilities found in CSGuestbook by CoolSerlets.com

from [Josh884] Network Security [Permanent Link]
Subject: Multiple vulnerabilities found in CSGuestbook by CoolSerlets.com
Date: 24 Feb 2005 01:28:04 -0000 


Audit of the script: http://www.coolservlets.com/CSGuestbook/
About this script: This is an open source GuestBook script offered by 
CoolServlets.com
About the audit: This audit was performed by Daxgrapol and Dopel for RACAT (a 
subgroup of CASOS in the cyberarmy.net community).

Note in advance: The script is dated at Feb 10, 2000, suggesting it is about 5 
years old.

Exploits found: 

File name: CSGuesbook.java
Method name: public void service()
Vulnerability Description: Although there is only one user mode currently 
implemented,
the client could potentially send any user mode it wanted including "admin"
which currently is not authenticated.

File name: GuesbookFilter.java
Method name: public String filterBadwords()
Vulnerability Description: Only the first special character is filtered off of 
the return string.
This can lead to string being return with escape characters concatenated
on the user input.

Ex. "Hello\\"
(found by: Dopel).

- Buffer overflow is possible (input field length not checked).
(found by: Daxgrapol).

Some logical coding errors:
- the resulting hyperlink in the URL field (website of the signer) is something 
like this: 
http://localhost:8080/guestbook/www.sitename.com
(where localhost:8080/guestbook refers to my local configuration)
The error is in GuestBookEntry.java, line 59:
return "<a href=\"" + url + "\">" + url + "</a>";
must be :
return "<a href=\"http://"; + url + "\">" + url + "</a>";
This because the transmission protocol is not specified.

- In the method addDatabaseEntry(req, res, db) the input fields presence are 
validate like this:
String entry_name = request.getParameter("name");
if (entry_name == null) entry_name = "";
Better solution is:
String entry_name = "";
entry_name = request.getParameter("name").trim();
(This in order to avoid a 'valid' entry like ' x').

- There is not a check on the maxlenght of each input field. Wherever I can put 
the entire 'Divine Commedy'. This check is imperative in the servlet code, 
suggested in the html form.

- The email address is not checked as a real one (like the web address). Not 
really important in a guestbook, but if I ask for them why not to check them?
(found by: Daxgrapol). 

Conclusion:
This project is actually outdated by so much that we hope no-one uses it 
anymore, if you still do, you should really consider updating to something more 
safe, and coded to more recent standards.
Still this report should show you how important proper coding is.

On behalf of RACAT and CASOS,
Anvar
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • Multiple vulnerabilities found in CSGuestbook by CoolSerlets.com, Josh884 <=
Previous by Date:  RE: Incorrect Classification of iDownload's Product as Spyware..., Roger A. Grimes
Next by Date:  RE: Avaya IP Office Phone Manager - Sensitive Information Cleartext Vulnerability, Walton, John Michael (John)
Previous by Thread:  RE: Incorrect Classification of iDownload's Product as Spyware..., Roger A. Grimes
Next by Thread:  RE: Avaya IP Office Phone Manager - Sensitive Information Cleartext Vulnerability, Walton, John Michael (John)
Indexes:  [Date] [Thread] [Top] [All Lists]