Mailinglist Archive: opensuse-bugs (6226 mails)

< Previous Next >
[Bug 561438] New: WebYAST RC2 unfiltered input
  • From: bugzilla_noreply@xxxxxxxxxx
  • Date: Mon, 7 Dec 2009 19:35:59 +0000
  • Message-id: <bug-561438-21960@xxxxxxxxxxxxxxxxxxxxxxxx/>
http://bugzilla.novell.com/show_bug.cgi?id=561438

http://bugzilla.novell.com/show_bug.cgi?id=561438#c0


Summary: WebYAST RC2 unfiltered input
Classification: openSUSE
Product: openSUSE 11.2
Version: RC 2
Platform: Other
OS/Version: Other
Status: NEW
Severity: Enhancement
Priority: P5 - None
Component: WebYaST
AssignedTo: kkaempf@xxxxxxxxxx
ReportedBy: thomas@xxxxxxxxxx
QAContact: qa@xxxxxxx
Found By: Security Response Team
Blocker: ---


JFR and maybe it is already fixed. Will switch to RC4 tomorrow.

Input from the XML API needs more filtering. For example binary data is
directly written to a file.

Just an example:
xmlrpc-fuzzer> ./main.pl fuzz=sep auth=root:linux http://localhost:4984
target-list_WebYAST.txt
Config:
user: root
password: linux
target list: target-list_WebYAST.txt
base url: http://localhost:4984
proxy:
fuzz mode: sep

Start Fuzzing:
outcome file: outcome-localhost:4984.txt
target: POST http://localhost:4984/network/hostname.xml
Outcome: '500 Internal Server Error' -> unhandled, see log
files [sep]: end of file reached
Outcome: '500 Internal Server Error' -> unhandled, see log
files [sep]: Broken pipe
[...]

The first POST writes 0 to the file (EOF).


HTML tags are not filtered too AFAICS:
xmlrpc-fuzzer> ./main.pl fuzz=html auth=root:linux http://localhost:4984
target-list_WebYAST.txt
Config:
user: root
password: linux
target list: target-list_WebYAST.txt
base url: http://localhost:4984
proxy:
fuzz mode: html

Start Fuzzing:
outcome file: outcome-localhost:4984.txt
target: POST http://localhost:4984/network/hostname.xml
Outcome: '200 OK' -> VERIFY (possible XSS vulnerability)[html]
hostname[domain]=><br>XMLRPC
Outcome: '200 OK' -> VERIFY (possible XSS vulnerability)[html]
hostname[domain]=<b>bold</b>
Outcome: '200 OK' -> VERIFY (possible XSS vulnerability)[html]
hostname[domain]=<script

Entries fuzzed : 3
Entries suspicious: 3

--
Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.

< Previous Next >