Nikto HTML Report Server Header Arbitrary Script Injection

2005-07-27T12:04:53
ID OSVDB:17886
Type osvdb
Reporter Mariano Nuñez Di Croce(mnunez@cybsec.com)
Modified 2005-07-27T12:04:53

Description

Vulnerability Description

Nikto contains a flaw that may allow a remote attacker to inject arbitrary script code. The issue occurs when a user runs Nikto with the -F option, specifying HTML output. With a cleverly crafted server header string, an attacker can inject custom script into the HTML generated report. When the user views the report in a graphical web browser, the script may be executed under the privileges of that user.

Technical Description

Due to the nature of the software, it is counter productive to sanitize or limit the input collected in any fashion. Further, this vulnerability could only be exploited if an attacker has knowledge that a system will be scanned with Nikto, has the abililty to modify server headers such as "Server:", and the remote user explicitly selects the -F HTML option for report generation (not a default).

Solution Description

Currently, there are no known upgrades or patches to correct this issue. It is possible to correct the flaw by implementing the following workaround: do not output the report in HTML format.

Short Description

Nikto contains a flaw that may allow a remote attacker to inject arbitrary script code. The issue occurs when a user runs Nikto with the -F option, specifying HTML output. With a cleverly crafted server header string, an attacker can inject custom script into the HTML generated report. When the user views the report in a graphical web browser, the script may be executed under the privileges of that user.

References:

Vendor URL: http://www.cirt.net/code/nikto.shtml Secunia Advisory ID:16669 Other Advisory URL: http://www.cybsec.com/vuln/010905-multiple_webscanner_script_injection.pdf Mail List Post: http://archives.neohapsis.com/archives/bugtraq/2005-09/0025.html CVE-2005-2860 Bugtraq ID: 14717