http://bugzilla.novell.com/show_bug.cgi?id=561438 http://bugzilla.novell.com/show_bug.cgi?id=561438#c0 Summary: WebYAST RC2 unfiltered input Classification: openSUSE Product: openSUSE 11.2 Version: RC 2 Platform: Other OS/Version: Other Status: NEW Severity: Enhancement Priority: P5 - None Component: WebYaST AssignedTo: kkaempf@novell.com ReportedBy: thomas@novell.com QAContact: qa@suse.de Found By: Security Response Team Blocker: --- JFR and maybe it is already fixed. Will switch to RC4 tomorrow. Input from the XML API needs more filtering. For example binary data is directly written to a file. Just an example: xmlrpc-fuzzer> ./main.pl fuzz=sep auth=root:linux http://localhost:4984 target-list_WebYAST.txt Config: user: root password: linux target list: target-list_WebYAST.txt base url: http://localhost:4984 proxy: fuzz mode: sep Start Fuzzing: outcome file: outcome-localhost:4984.txt target: POST http://localhost:4984/network/hostname.xml Outcome: '500 Internal Server Error' -> unhandled, see log files [sep]: end of file reached Outcome: '500 Internal Server Error' -> unhandled, see log files [sep]: Broken pipe [...] The first POST writes 0 to the file (EOF). HTML tags are not filtered too AFAICS: xmlrpc-fuzzer> ./main.pl fuzz=html auth=root:linux http://localhost:4984 target-list_WebYAST.txt Config: user: root password: linux target list: target-list_WebYAST.txt base url: http://localhost:4984 proxy: fuzz mode: html Start Fuzzing: outcome file: outcome-localhost:4984.txt target: POST http://localhost:4984/network/hostname.xml Outcome: '200 OK' -> VERIFY (possible XSS vulnerability)[html] hostname[domain]=><br>XMLRPC Outcome: '200 OK' -> VERIFY (possible XSS vulnerability)[html] hostname[domain]=<b>bold</b> Outcome: '200 OK' -> VERIFY (possible XSS vulnerability)[html] hostname[domain]=